b'Report No. D-2008-139          September 30, 2008\n\n\n\n\n      Defense Civilian Pay System Controls\n        Placed in Operation and Tests of\n         Operating Effectiveness for the\n            Period October 1, 2007,\n            through March 31, 2008\n\x0cAdditional Copies\n\nTo obtain additional copies of this report, visit the Web site of the Department of\nDefense Inspector General at http://www.dodig.mil/audit/reports or contact the\nSecondary Reports Distribution Unit at (703) 604-8937 (DSN 664-8937) or fax\n(703) 604-8932.\n\nSuggestions for Future Audits\n\nTo suggest ideas for or to request future audits, contact the Office of the Deputy\nInspector General for Auditing at (703) 604-9142 (DSN 664-9142) or fax (703)\n604-8932. Ideas and requests can also be mailed to:\n\n                     ODIG-AUD (ATTN: Audit Suggestions)\n                     Department of Defense Inspector General\n                       400 Army Navy Drive (Room 801)\n                           Arlington, VA 22202-4704\n\x0c                                      INSPECTOR GENERAL\n                                     DEPARTMENT OF DEFENSE\n                                      400 ARMY NAVY DRIVE\n                                 ARLINGTON, VIRGINIA 22202-4704\n\n\n\n\n                                                                         September 30, 2008\n\nMEMORANDUM FOR UNDER SECRETARY OF DEFENSE\n                 (COMPTROLLER)/CHIEF FINANCIAL OFFICER\n               ASSISTANT SECRETARY OF DEFENSE (NETWORKS\n                 AND INFORMATION INTEGRATION)/DOD ClITEF\n                 INFORMATION OFFICER\n               DIRECTOR, DEFENSE FlNANCE AND ACCOUNTlNG\n                 SERVICE\n               DIRECTOR, DEFENSE INFORMATION SYSTEMS\n                 AGENCY\n\nSUBJECT: Rep011 on Defense Civilian Pay System Controls Placed in Operation and\n         Tests of Operating Effectiveness for the Period October 1,2007, through\n         March 31,2008 (Rep011 No. D-2008-139)\n\n\nWe are providing this report for your infonnation and use. No written response to this\nreport is required. Therefore, we are publishing this report in final form.\n\nWe appreciate the courtesies extended to the staff. Questions should be directed to\nMs. Patricia Remington at (703) 601-5815 (DSN 329-5815) or Mrs. Donna A. Roberts at\n(703) 601-5859 (DSN 329-5859). The team members are listed inside the back cover.\n\n\n\n\n                                        toJ;v~~~/           OL. m~\n                                        Patricia A. Marsh, CPA\n                                     Assistant Inspector General\n                                  Defense Financial Auditing Service\n\x0c\x0cTable of Contents\nForeword                                                                         i\n\nSection I\n      Independent Service Auditor\xe2\x80\x99s Report                                       1\n\nSection II\n      Description of the Defense Civilian Pay System Operations and Controls\n         Provided by the Defense Finance and Accounting Service and the\n         Defense Information Systems Agency                                     13\n\nSection III\n     Control Objectives, Control Activities, and Tests of Operating\n        Effectiveness                                                           25\n\nSection IV\n      Supplemental Information Provided by the Defense Finance and\n         Accounting Service and the Defense Information Systems Agency         113\n\nAcronyms and Abbreviations                                                     117\n\x0c\x0c                                        Foreword\n\nThis report is intended for the use of the Defense Finance and Accounting Service\n(DFAS) and the Defense Information Systems Agency (DISA) management, its user\norganizations, and the independent auditors of its user organizations. DoD personnel who\nmanage and use the Defense Civilian Personnel System (DCPS) will also find this report\nof interest as it contains information about DCPS general and application controls.\n\nThe DoD Office of Inspector General (OIG) is implementing a long-range strategy to\nconduct audits of DoD financial statements. The Chief Financial Officers Act of 1990\n(Public Law 101-576), as amended, mandates that agencies prepare and conduct audits of\nfinancial statements, which is key to achieve the goals of the Chief Financial Officers\nAct.\n\nThe DCPS is a pay processing system used to pay DoD civilian employees, as well as\nemployees at several other Federal entities, including the Departments of Energy, Health\nand Human Services, and the Executive Office of the President. As of March 31, 2008,\nDCPS processes pay for approximately 834,000 employees.\n\nThis audit assessed controls over the DCPS processes at DFAS and DISA. This report\nprovides an opinion on the fairness of presentation, the adequacy of design, and the\noperating effectiveness of key controls that are relevant to audits of user organization\nfinancial statements. As a result, this audit precludes the need for multiple audits of\nDCPS performed by user organizations to plan or conduct financial statement and\nperformance audits. Effective internal control is critical to achieve reliable information\nfor all management reporting and decision making.\n\n\n\n\n                                              i\n\x0c\x0cSection I: Independent Service Auditor\xe2\x80\x99s Report\n\n\n\n\n                       1\n\x0c\x0c\x0cThese types of pervasive controls include:\n\n    \xe2\x80\xa2    overall security planning (for example, DECC risk assessments, site security plans,\n         security management structure);\n\n    \xe2\x80\xa2    general employee processes (for example, background investigations and position and job\n         descriptions);\n\n    \xe2\x80\xa2    group authentication;1 and\n\n    \xe2\x80\xa2    physical security:\n             \xc2\x83    visitor access;\n             \xc2\x83    network administration (for example, firewalls, network scans, remote\n                  access, network monitoring, use of mobile code);\n             \xc2\x83    incident response;\n             \xc2\x83    environmental controls; and\n             \xc2\x83    hardware maintenance.\n\nWe did not examine these pervasive controls at the DISA DECC-MECH data center\nbecause these controls were evaluated as part of the DISA Statements of Auditing\nStandard No. 70 (SAS 70) and excluded from the scope of this audit at the direction of\nthe DoD OIG.\n\nThe accompanying description includes those application control objectives and related\ncontrols resident at the Charleston, South Carolina; Pensacola, Florida; Indianapolis,\nIndiana; Cleveland, Ohio; and Denver, Colorado Payroll Offices. However, due to the\npayroll office consolidation as a result of the Base Realignment and Closure (BRAC), the\nCharleston and Denver Payroll Offices permanently closed during this audit. In addition,\nthe Pensacola Payroll Office permanently closed on May 31, 2008. The remaining payroll\noffices in Indianapolis, Indiana, and Cleveland, Ohio, performed the control activities.\nTherefore, we did not inspect controls specific to the closed locations as part of this audit.\n\nDCPS processes approximately 81 interface files from DoD and external systems.\nExamples of systems that provide interface files2 to DCPS include the Defense Civilian\nPersonnel Data System, Federal Reserve, Thrift Savings Plan, and the Department of\nTreasury. The accompanying description does not include control objectives and general\nand application controls related to the systems that interface with DCPS. In addition, our\naudit did not extend to the controls at the National Security Agency (NSA). Furthermore,\n\n\n1The act of verifying the identity of a user and the user\xe2\x80\x99s eligibility to access computerized information.\nDesigned to protect a system against fraudulent activity.\n\n2A connection between two devices, applications, or networks or a boundary across which two systems\ncommunicate.\n\n                                                      4\n\x0cbecause of the sensitive nature of the pay information for personnel who work for the\nExecutive Office of the President (EOP), our audit did not extend to the controls over\nEOP payee transactions.\n\nWe conducted our audit for the purpose of forming an opinion of the description of the\nDCPS general and application controls at DFAS and DISA (Sections II and III). We\nhave included information about business continuity plans and procedures at DFAS and\nDISA, as provided by DFAS and DISA respectively in Section IV. Section IV only\nprovides additional information to user organizations and is not a part of the description\nof controls at DFAS and DISA. The information in Section IV has not been subjected to\nthe procedures applied in the audit of the controls at DFAS and DISA. Accordingly, we\ndo not express an opinion on the description of DFAS and DISA business continuity\nplans and procedures.\n\nWe identified the following control design deficiencies related to the controls described\nin Section III, Control Objectives, Control Activities, and Tests of Operating\nEffectiveness.\n\nLack of Approved Policies\n\nWe noted that no policy exists that requires Civilian Pay Processing personnel to generate\nand review a complete, accurate listing of management summary reports to confirm that\npayroll is processed timely and accurately. In addition, we noted there was no policy for\nretaining 592 documentation; specifically, the 592 Report Checklist and the 592 Report\nof Withholdings. We also noted that there was no policy at DFAS Indianapolis for the\nphysical security of the pay processing areas.\n\nAs a result, the design of the controls does not provide reasonable assurance that the\nfollowing control objectives will be achieved.\n\n\xe2\x80\x9cControls prevent unauthorized system access to DCPS data.\xe2\x80\x9d\n\n\xe2\x80\x9cControls provide reasonable assurance that personnel and payroll data processed and\nstored at the DFAS and DISA General Computer Control locations are valid, accurate,\nauthorized, complete, timely, support financial reporting requirements and provide\nsufficient audit trails.\xe2\x80\x9d\n\nAs discussed in Sections II and III, DFAS and DISA have developed policies and\nprocedures to ensure that personnel and payroll data processed and stored at DFAS and\nDISA are valid, accurate, authorized, complete, timely, support financial reporting\nrequirements, and provide sufficient audit trails. However, these policies have not been\nconsistently updated or followed by DFAS. As a result, the design of DFAS controls\ndoes not provide reasonable assurance that the control objectives, \xe2\x80\x9cControls prevent\nunauthorized system access to DCPS data\xe2\x80\x9d; and \xe2\x80\x9cControls provide reasonable assurance\nthat personnel and payroll data processed and stored at the DFAS and DISA General\nComputer Control locations are valid, accurate, authorized, complete, timely, support\nfinancial reporting requirements and provide sufficient audit trails,\xe2\x80\x9d will be achieved.\n\n                                             5\n\x0cIn our opinion, Sections II and III present fairly, in all material respects, the relevant\naspects of DFAS and DISA controls that had been placed in operation as of March 31,\n2008. Also, in our opinion, except for the design deficiency referred to in the preceding\nparagraph, the controls are suitably designed to provide reasonable, but not absolute,\nassurance that the specified control objectives would be achieved if the described controls\nwere complied with satisfactorily and user organizations applied those aspects of internal\ncontrol contemplated in the design of the DFAS and DISA controls.\n\nIn addition to the procedures that we considered necessary to render our opinion, as\nexpressed in the previous paragraph, we tested specified controls, listed in Section III, to\ndetermine whether they are effectively meeting the related control objectives described in\nSection III during the period of October 1, 2007, through March 31, 2008. We\ndocumented the specific control objectives and controls. We also documented the nature,\ntiming, extent, and results of the tests in Section III. We provided this information to\nDCPS user organizations and to their auditors to be taken into consideration, along with\ninformation about the user organizations\xe2\x80\x99 internal control environments, when making\nassessments of control risks for such user organizations.\n\nWe identified the following operating deficiencies related to the controls described in\nSection III, Control Objectives, Control Activities, and Tests of Operating Effectiveness.\n\nDCPS User Access\n\nDFAS requires every DCPS user to complete a System Access Authorization Request\n(SAAR) form. The SAAR form documents user access and must be signed by a\nsupervisor indicating that such access has been approved. Upon selecting a sample of 90\nforms for DCPS non-payroll office users, we determined that:\n\n   \xe2\x80\xa2   15 forms could not be located,\n\n   \xe2\x80\xa2   11 forms had a user type that did not match the user type in the list of DCPS\n       Users by Database,\n\n   \xe2\x80\xa2   6 forms had authorization types that did not match the authorization type in the\n       list of DCPS Users by Database,\n\n   \xe2\x80\xa2   16 forms were missing the DCPS Security Awareness Computer-Based Training\n       completion date,\n\n   \xe2\x80\xa2   1 form was missing the user\xe2\x80\x99s signature,\n\n   \xe2\x80\xa2   2 forms were missing the supervisor\xe2\x80\x99s signature,\n\n   \xe2\x80\xa2   10 forms were missing the date of the supervisor\xe2\x80\x99s signature,\n\n   \xe2\x80\xa2   23 forms were missing the security manager\xe2\x80\x99s signature,\n\n\n\n\n                                             6\n\x0c   \xe2\x80\xa2   27 forms were missing the date of the security manager\xe2\x80\x99s signature, and\n\n   \xe2\x80\xa2   13 users completed the incorrect form.\n\nUpon selecting a sample of 90 forms for DCPS payroll office users, we identified that:\n\n   \xe2\x80\xa2   10 forms could not be located,\n\n   \xe2\x80\xa2   29 users completed the incorrect form,\n\n   \xe2\x80\xa2   31 forms had a user type that did not match the user type in the list of DCPS Users by\n       Database,\n\n   \xe2\x80\xa2   11 forms were missing the DCPS Security Awareness Computer-Based Training\n       completion date,\n\n   \xe2\x80\xa2   1 form was missing a user\xe2\x80\x99s signature,\n\n   \xe2\x80\xa2   6 forms were missing the date of the supervisor\xe2\x80\x99s signature,\n\n   \xe2\x80\xa2   10 forms were missing the security manager\xe2\x80\x99s signature, and\n\n   \xe2\x80\xa2   17 forms were missing the date of the security manager\xe2\x80\x99s signature.\n\nUpon examining forms for the entire population of 66 users with the ability to disburse\npayroll, we identified 1 form that did not contain justification for access to disburse\npayroll.\n\nAs a result, the following control objectives may not have been achieved during the\nperiod of October 1, 2007, through March 31, 2008.\n\n\xe2\x80\x9cControls prevent unauthorized system access to DCPS data.\xe2\x80\x9d\n\n\xe2\x80\x9cControls provide reasonable assurance that personnel and payroll data processed and\nstored at the DFAS and DISA General Computer Control locations are valid, accurate,\nauthorized, complete, timely, support financial reporting requirements and provide\nsufficient audit trails.\xe2\x80\x9d\n\nMonitoring DCPS Error Reports\n\nThe Personnel Interface Invalid Report (PIIR) is a key control for monitoring and\nresolving DCPS interface processing errors. This report contains rejections, suspensions,\nor deletions of data to document changes in existing data in DCPS and data input through\ninterface files.\n\nWe examined a sample of 45 PIIRs generated during the audit period at each payroll\noffice to confirm whether the reports were consistently annotated to indicate that\nprocessing exceptions were resolved.\n\n\n                                            7\n\x0cAt the DFAS Indianapolis Payroll Office, 12 of the 45 PIIRs selected from five databases\ncould not be located. Of the remaining 33 reports inspected, we identified that:\n\n   \xe2\x80\xa2   2 reports were missing the date of when the report was annotated by the\n       technician and\n\n   \xe2\x80\xa2   3 reports were not correctly annotated with codes outlined in the Standard\n       Operating Procedure (SOP).\nAt the DFAS Cleveland Payroll Office, 16 of the 45 PIIRs selected from five databases\ncould not be located. Of the remaining 29 reports inspected, we identified that:\n\n   \xe2\x80\xa2   1 report was missing a technician\xe2\x80\x99s signature and\n\n   \xe2\x80\xa2   1 report was missing the date of when the report was reviewed by the technician.\nAs a result, the following control objective may not have been achieved during the period\nof October 1, 2007, through March 31, 2008.\n\n\xe2\x80\x9cControls provide reasonable assurance that personnel and payroll data processed and stored\nat the DFAS and DISA locations are valid, accurate, authorized, complete, timely, support\nfinancial reporting requirements and provide sufficient audit trails.\xe2\x80\x9d\n\nVisitor Access\n\nAt the DFAS Cleveland Payroll Office, we inspected a sample of 21 visitor logs. Of the 21\nvisitor logs inspected, we observed that:\n\n   \xe2\x80\xa2   4 logs were missing the visitor organization,\n\n   \xe2\x80\xa2   4 logs were missing the authorized sponsor,\n\n   \xe2\x80\xa2   3 logs were missing the reason for visit,\n\n   \xe2\x80\xa2   4 logs were missing the floor visited, and\n\n   \xe2\x80\xa2   4 logs were missing the visitor badge turn-in date.\nAt the DFAS Indianapolis Payroll Office, visitors with a valid Common Access Card, law\nenforcement badge, or military identification can enter the DFAS building and are not required\nto sign in and out with security; therefore, access is not limited to authorized payroll office\npersonnel. We observed that the terminals that process payroll are located in a physically secure\nbuilding. However, terminal rooms are not locked, and data entry terminals can be connected to\nthe system 24 hours a day, 7 days a week, except during system downtime. The terminal rooms\nare located in shared spaces with other agencies and non-payroll office personnel have access to\nsensitive payroll information. We also observed that the cabinets where payroll information is\nstored are not secured. In addition, we observed that visitors to the DFAS Indianapolis Payroll\n\n                                            8\n\x0cOffice must sign in and out with authorized security personnel; however, once the visitor is\ninside the building there is no requirement to display the visitor badge.\nAs a result, the following control objective may not have been achieved during the period\nof October 1, 2007, through March 31, 2008.\n\n\xe2\x80\x9cControls prevent unauthorized physical access to DCPS data.\xe2\x80\x9d\n\n\nManagement Summary Reports\n\nThe Indianapolis and Cleveland Payroll Offices lacked a policy that requires a complete listing\nof summary reports to confirm that personnel and payroll data are processed, valid, accurate, and\nauthorized.\n\nAs a result, the following control objective may not have been achieved during the period\nof October 1, 2007, through March 31, 2008.\n\n\xe2\x80\x9cControls provide reasonable assurance that personnel and payroll data processed and\nstored at the DFAS and DISA General Computer Controls locations are valid, accurate,\nauthorized, complete, timely, support financial reporting requirements and provide\nsufficient audit trails.\xe2\x80\x9d\n\nPersonnel/Payroll Reconciliation Reports\n\nAt the DFAS Indianapolis Payroll Office, we inspected 45 Personnel/Payroll\nReconciliation Reports. The Personnel/Payroll Reconciliation Reports document the\nreconciliation between the personnel systems of the payroll customers and DCPS to\ncapture changes in personnel information. Of the 45 Personnel/Payroll Reconciliation\nReports inspected, 1 report could not be located. In addition, eight reports did not include\nnotification sent to user agencies with the necessary changes.\n\nAt the DFAS Cleveland Payroll Office, we found that the DFAS Cleveland Payroll\nOffice did not receive any Personnel/Payroll Reconciliation Reports for two quarters of\nthe audit period.\n\nAs a result, the following control objective may not have been achieved during the period\nof October 1, 2007, through March 31, 2008.\n\n\xe2\x80\x9cControls provide reasonable assurance that personnel and payroll data processed and stored\nat the DFAS and DISA General Computer Controls locations are valid, accurate, authorized,\ncomplete, timely, support financial reporting requirements and provide sufficient audit trails.\xe2\x80\x9d\n\n592 Reconciliation Reports\n\nThe 592 Reconciliation process is performed at the end of every pay period by civilian pay\ntechnicians to confirm that all payroll balancing spreadsheets have been received and all\n\n\n                                             9\n\x0cdiscrepancies have been identified and/or corrected in order to release payroll files to the\ndisbursing office.\n\nAt the DFAS Indianapolis Payroll Office, we inspected 45 592 Reconciliation reports. Of\nthe 45 592 Reconciliation reports, 8 reports did not have documentation of a final\ndisbursement authorization.\n\nWe noted that 1 of 45 selected 592 Reconciliations did not balance, and a supplemental\n592 Reconciliation was not prepared. We noted that for 1 of 45 selected 592\nReconciliations, the Report of Withholdings was not signed.\n\xc2\xa0\nAs a result, the following control objectives may not have been achieved during the\nperiod of October 1, 2007, through March 31, 2008.\n\n\xe2\x80\x9cControls provide reasonable assurance that DCPS authorized users are restricted to access\nonly areas needed to complete their assigned responsibilities and controls maintain segregation\nof duties.\xe2\x80\x9d\n\n\xe2\x80\x9cControls provide reasonable assurance that personnel and payroll data processed and\nstored at the DFAS and DISA General Computer Controls locations are valid, accurate,\nauthorized, complete, timely, support financial reporting requirements and provide\nsufficient audit trails.\xe2\x80\x9d\n\nDCPS Change Management\n\nAll configuration changes made to the DCPS application are required to comply with\nDepartment of Defense Instruction 8500.2, \xe2\x80\x9cInformation Assurance Implementation,\xe2\x80\x9d\nstandards for software development change controls. However, the configuration\nmanagement process at DISA does not provide an audit trail to confirm that changes are\ntested in a test environment before being implemented into the production environment.\n\nAs a result, the following control objectives may not have been achieved during the\nperiod of October 1, 2007, through March 31, 2008.\n\n\xe2\x80\x9cDISA or DFAS initiated application, software, or hardware modifications are\nauthorized, and the documentation is maintained.\xe2\x80\x9d\n\n\xe2\x80\x9cChanges to the DoD information system are assessed for Information Assurance (IA)\nand accreditation impact prior to implementation.\xe2\x80\x9d\n\n\n\n\n                                             10\n\x0cDCPS Access Audits\n\nMonitoring access to DCPS is required to comply with DoD Instruction 8500.2 standards\nfor audit trails, monitoring, analysis, and reporting. However, payroll office personnel\ndid not perform the monthly access audits.3\n\nAs a result, the following control objective may not have been achieved during the period\nof October 1, 2007, through March 31, 2008.\n\n\xe2\x80\x9cAudit trails are maintained.\xe2\x80\x9d\n\nDCPS Operator Logs\n\nAccess to DCPS is required to comply with DoD Instruction 8500.2 standards for group\nidentification and authentication. However, the DFAS operations group uses a group\nauthenticator to execute batch jobs. To mitigate risk, DFAS uses a daily operator log to\nrecord the actions of the operators. However, DFAS could not provide operator logs for 3\nof 18 sampled dates.\n\nAs a result, the following control objectives may not have been achieved during the\nperiod of October 1, 2007, through March 31, 2008,\n\n\xe2\x80\x9cGroup authenticators for application or network access may be used only in\nconjunction with an individual authenticator.\xe2\x80\x9d\n\n\xe2\x80\x9cControls provide reasonable assurance that personnel and payroll data processed and\nstored at the DFAS and DISA General Computer Controls locations are valid, accurate,\nauthorized, complete, timely, support financial reporting requirements and provide\nsufficient audit trails.\xe2\x80\x9d\n\nIn our opinion, except for the deficiencies in operating effectiveness noted in the\npreceding paragraphs, the controls that we tested, as described in Sections II and III, were\noperating with sufficient effectiveness to provide reasonable, but not absolute, assurance\nthat the control objectives specified in Sections II and III were achieved during the period\nof October 1, 2007, through March 31, 2008.\n\nThe relative effectiveness and significance of specific controls at DFAS and DISA, and\ntheir effect on assessments of control risk at user organizations, are dependent on their\ninteraction with the internal control environment and other factors present at individual\nuser organizations. We have not performed procedures to evaluate the effectiveness of\ninternal controls placed in operation at individual user organizations.\n\nThe description of the controls at DFAS and DISA is as of March 31, 2008, and\ninformation about tests of their operating effectiveness covers the period of October 1,\n\n\n3 DCPS conducts three types of internal audits at the payroll offices: user access, segregation of duties, and\nsupervisory codes.\n\n                                                     11\n\x0c\x0c Section II: Description of the Defense Civilian Pay System\nOperations and Controls Provided by the Defense Finance and\n  Accounting Service and the Defense Information Systems\n                           Agency\n\n\n\n\n                            13\n\x0c\x0cII. Description of the Defense Civilian Pay System Operations\nand Controls Provided by the Defense Finance and Accounting\nService and the Defense Information Systems Agency\n\nA. Overview of DCPS\n\nPurpose of DCPS\n\nIn 1991, DoD selected DCPS as its standard payroll system. DCPS is used by all DoD\nactivities paying civilian employees, except Local Nationals and those funded by Non-\nappropriated Funds and Civilian Mariners. Before becoming the DoD-wide civilian pay\nsystem, DCPS was the Navy civilian pay system, which had been in operation since\n1988. DFAS began paying the Executive Office of the President (EOP) in 1998. The\n2001 President\xe2\x80\x99s Management Agenda e-Payroll initiative established federal payroll\nproviders to service the entire executive branch of the Federal Government; DFAS was\nselected as one of those providers. DFAS began processing payroll for the Department of\nEnergy (DoE) in 2003, the Department of Health and Human Services (HHS) in 2005,\nthe Environmental Protection Agency (EPA) and, Department of Veterans Affairs (VA)\nin 2006, and the Broadcast Board of Governors (BBG) in 2007. As of June 30, 2008,\nDCPS currently processes pay for approximately 834,000 employees.\n\nThe DCPS program mission is to process payroll for DoD and non-DoD civilian\nemployees in accordance with existing regulatory, statutory, and financial information\nrequirements relating to civilian pay entitlements and applicable policies and procedures.\nThe DoD civilian pay program must satisfy the complex and extensive functional,\ntechnical, and interface requirements associated with the DoD and non-DoD civilian pay\nfunction. The functional areas include: employee data maintenance, time and\nattendance, leave, pay processing, deductions, retirement processing, debt collection,\nspecial actions, disbursing and collection, reports processing and reconciliation, and\nrecord maintenance and retention. DCPS provides standard interface support to various\naccounting, financial management, and personnel systems. From a life cycle perspective,\nDCPS is in the maintenance phase, with system changes mainly resulting from legislative\nand functional requirements.\n\nDFAS participated in a BRAC transformation that impacted the DCPS Payroll Offices.\nThe BRAC consolidated and relocated the three servicing payroll offices located in\nPensacola, Florida, Charleston, South Carolina and Denver, Colorado into two payroll\noffices located in Cleveland, Ohio, and Indianapolis, Indiana. The move and\nconsolidation were completed in March, 2008. Approximately 300 payroll processing\npersonnel at the two DFAS Payroll Offices use DCPS. DCPS is also used at NSA4.\nAdditional users include Customer Service Representatives (CSRs), Timekeepers, and\n\n\n4The NSA payroll office is not included in the scope of this \xe2\x80\x9cDescription of DCPS Operations and Controls\nProvided by DFAS and DISA.\xe2\x80\x9d\n\n\n                                                   15\n\x0cCertifiers at customer activities and sites. The Cleveland Payroll Office processes payroll\nfor the Navy, DoE, and HHS. The Indianapolis Payroll Office processes payroll for all\nother unclassified DFAS payroll customers. Migration of VA pay account processing is\nscheduled for completion September, 2009.\n\nDCPS Support Functions\n\nThe DFAS Standards and Compliance Division (under the cognizance of the DFAS Director)\nprovides high-level management control and coordination within DoD and for DCPS external\ncustomers. The Civilian Pay Systems Management Directorate (under the cognizance of the\nDFAS Chief Information Officer) have overall daily responsibility for application, operation,\ninterpretation and implementation of DCPS. In addition, those offices are responsible for\ncoordinating with external users and new customers. Civilian Pay Systems Management\nDirectorate is responsible for requirements management, functional analysis, information\nassurance, and user documentation processes.\n\nThe Technology Services Engineering Organization Pensacola (TSOPE) provides DCPS\nsoftware engineering, production support, and customer service. Within TSOPE, several groups\nprovide DCPS support. The Software Engineering Division provides technical design,\nprogramming, unit testing, and system documentation. The Software Test and Evaluation\nDivision performs integration testing and evaluation processes. The Project Support Division\nprovides system software, telecommunication, computer resource tools, and database support.\nDCPS Software Quality Assurance monitors the software engineering process and provides\nrecommendations for improvement. The Systems Support Division provides configuration\nmanagement, release management, implementation status, and customer support. DCPS is\nmaintained and executed on a DISA mainframe platform at DISA DECC-MECH, Pennsylvania.\n\nDCPS Systems Architecture\n\nDCPS has a two-tiered architecture comprised of the following:\n\n   \xe2\x80\xa2   Mainframe hardware and software components - used as a repository for collecting and\n       accumulating data, and providing centralized, biweekly processing of civilian pay and its\n       attendant functions (for example., electronic funds transfer, generation of leave and\n       earnings statements); and\n\n   \xe2\x80\xa2   Remote user/print spooler hardware and software - used to collect and/or pre-process data\n       at customer sites, provide connectivity to DCPS mainframe components, and support\n       printing of mainframe-generated outputs (for example, reports, timesheets) at customer\n       locations. The components are largely customer-owned and operated, and include local\n       area networks (LANs), personal computers, and a diverse assortment of printers and\n       software that operates and connects the networks, computers, and printers. DFAS\n       maintains a limited number of mid-tier (minicomputer) systems at selected DFAS sites to\n       handle specialized printing requirements (for example, paychecks). Other offloaded print\n       services, such as bulk printing for DCPS Payroll Offices and printing of Leave and\n       Earnings Statements, are performed on Personal Computer/workstation hardware\n\n\n\n                                            16\n\x0c       maintained by the Document Automation & Production Service (DAPS) at sites located\n       in various U.S. and overseas geographical regions.\nThe two tiers of the DCPS architecture are connected through DoD-maintained networks\ncomprised of Internet Protocol (IP)-based (for example, Non-Classified Internet Protocol Router\nNetwork (NIPRNET)) and Systems Network Architecture (SNA)-based (leased line) services.\nThose networks connect DCPS to a wide variety of external, non-DCPS sites (mainframes, mid-\ntiers, and PCs) that supply or exchange data with DCPS, mainly through electronic file transfers,\non a regular basis. Examples of external interface sites include the Defense Civilian Personnel\nData System, Thrift Savings Plan (TSP), Department of the Treasury, and non-DoD users such\nas DoE, EPA, EOP, HHS, BBG, and VA.\n\nThe main technical components of DCPS include the following attributes.\n\n       \xe2\x80\xa2   DCPS is housed in a separate logical domain on an IBM z9 mainframe\n           computer located at DISA DECC-MECH,\n\n       \xe2\x80\xa2   The IBM mainframe operating system software is z/OS release 1.9,\n\n       \xe2\x80\xa2   DCPS is written in Common Business Oriented Language II,\n\n       \xe2\x80\xa2   First point of entry security protection mechanisms are provided by Access\n           Control Facility 2 (ACF2),\n\n       \xe2\x80\xa2   DISA DECC-MECH provides four web servers that service all applications\n           that support DCPS. Those servers accept the users\xe2\x80\x99 secure web requests by\n           supplying a menu screen with options for each application to the DCPS\n           LOGON SCREEN, where individuals enter their ACF2 login user\n           identification (ID) and passwords,\n\n       \xe2\x80\xa2   Third-party software packages are used for DCPS process scheduling and\n           monitoring, tax calculations, and mailing address verification.\n\nThe payroll offices and associated CSRs have access to DCPS through dedicated leased\nlines, various DoD networks, and through Multi-Host Internet Access Portal, formally\nknown as Mainframe Internet Access Portal (MIAP). MIAP enables secure transaction\nprocessing across the NIPRNET. Attachmate\xe2\x80\x99s Reflection for the Web product was used\nto establish a secure infrastructure utilizing Virtual Private Network (VPN) encryption\nthrough the DoD DMZs. DCPS users interact directly with the DCPS application\nthrough \xe2\x80\x9c3270\xe2\x80\x9d emulation using Personal Computer/Advanced Technology keyboard\nmapping terminals or terminal simulation programs for communication with DCPS. This\npermits application-defined formatted screens to be displayed with protected static text\nand unprotected fields for data entry.\n\n\n\n\n                                           17\n\x0cIn addition, the operating site is networked with TSOPE to support DCPS software\nreleases and production support.\n\n   \xe2\x80\xa2   Terminals. Some DFAS DCPS users will use Internet Protocol Telenet RUMBA\n       3270 emulation package across dedicated lines with extended attributes and\n       PC/AT keyboard mapping, terminals, or terminal simulation programs (PCs) for\n       communication with the application. This permits application-defined formatted\n       screens to be displayed with protected static text and unprotected fields for data\n       entry. Once the screen is formatted for a type of transaction, only the data entered\n       is transmitted between the terminal and the mainframe.\n\n   \xe2\x80\xa2   Printers. Printers provide printing support for majority of Payroll Office and\n       Systems printing requirements. All printing goes through VPN IP Protocol.\n\n   \xe2\x80\xa2   MIAP. DISA DECC-MECH provides access to DCPS through the MIAP. The\n       DCPS user community may access the system using DISA\xe2\x80\x99s inherited MIAP\n       solution across the Internet using an authorized Internet browser. PKI\n       Authentication is maintained at the MIAP server, and user ID/ password\n       authentication is still maintained at the DCPS application logon.\n\nThe payroll offices are structured in accordance with DFAS standard staffing policy and\nconduct business using standard operating and support procedures. They operate on a 24-\nhour basis to provide payroll service to customers located in various time zones and are\nresponsible for the full range of pay processing functions and services. As circumstances\ndictate, the three payroll offices serve as operational back-up sites for each other when\ncontingency procedures are executed by DFAS.\n\nDoD Instruction 8500.2, \xe2\x80\x9cInformation Assurance Implementation,\xe2\x80\x9d February 6, 2003,\n(DoD I 8500.2) identifies specific control requirements DoD systems should achieve\nbased on their designated Mission Assurance Category (MAC). The DCPS application\nAuthority to Operate, dated July 29, 2005, is on file with the DFAS Chief Information\nOfficer, and reaccreditation package is awaiting approval. According to the current\nDCPS System Security Authorization Agreement (SSAA), as of June 30, 2005, the MAC\nlevel for the DCPS application is \xe2\x80\x9cMAC III\xe2\x80\x9d and its supporting enclave at DISA DECC-\nMECH is \xe2\x80\x9cMAC II\xe2\x80\x9d.\n\nDCPS Data Flow\n\nThe figure below depicts the flow of data to and from DCPS. DCPS customers and\ntechnicians input data, including master employee and time and attendance logs. DCPS\noutputs data to multiple systems and entities, including financial reporting entities, the\nautomated disbursing system and data storage.\n\n\n\n\n                                            18\n\x0c                                                       DCPS Interfaces\n\n\n                   Defense Automated                                            Voluntary Benefit\n                                                      ePayroll                                                OPM\n                     Printing Service             Customer Systems\n                                                                                     Portal\n                                                                                TLC?FSA?V&D               (RITS, EHRI)\n\n             Personnel                                                                                                             myPay\n              Systems                                         National Guard\n             (DCPDS)                                          Assoc of the US           National Guard\n                                                                (NGAUS)                Dual Comp Office\n            (PeopleSoft)\n                                                                                                                                     Integrated\n                                                                                                                                    Garnishment\n           Federal                                                                                                                     System\n          Reserve                                                                                                                       (IGS)\n         Bank (FRB)             Nat\xe2\x80\x99l Treas Emp\n                                Union (NTEU)                                                                      FEHB Clearing-           National\n                                                                                                                   House Project\n                                                                                                                                           Finance\n                                                                                                                                            Center\n          Automated\n          Disbursing\n         System (ADS)\n                                                                      DCPS                                                               Defense Manpower\n                                                                                                                                        Data Center (DMDC)\n\n                                Imaging\n\n\n    DFAS Denver                                                                                                                             Defense Corporate\n   Bonds/Dept Acct                                                                                                                          Data base\n\n\n\n\n      DFAS Indy                                                                                                                              Treasury\n   Acct edit/Dept Acct                                                                                                                       IRS/SSA\n                                                                        Army Audit\n\n\n       DFAS Columbus                                                                                                                      State\n         Dept Acct                                                                                                                     Tax Entities\n                                                    Field Level                      T&A SDA (19)\n                         DFAS Cleveland            Accounting (26)\n                           Dept Acct                                                                                 Local Tax\n                                                                                                                      Entities\n\n\n\n\nOverview of System Interfaces\n\nDCPS is a combination of on-line and batch programs that support the requirements of a\nbi-weekly payroll process for civilian employees in the Federal Government based on data feeds\nfrom numerous personnel, accounting, and time and attendance systems. Transactions to update\nemployee data, adjust leave balances and payments, and report time and attendance may be input\ndaily to spread the on-line workload and to obtain labor data. However, the focal point of the\nsystem is the bi-weekly process. Non bi-weekly process functions occur monthly, quarterly,\nannually, or as required, and are in support of or a result of, multiple bi-weekly pay cycles.\nDCPS supports a standard personnel interface, decentralized time and attendance reporting, and\nthe CSR structure.\n\nDCPS accepts input from three primary areas: CSR, timekeepers, and personnel offices. DCPS\nreceives or creates approximately 81 interface files that, among other functions:\n\n   \xe2\x80\xa2       update personnel information,\n   \xe2\x80\xa2       upload time and attendance data,\n   \xe2\x80\xa2       download information for checks to be printed,\n   \xe2\x80\xa2       report accounting information to the Department of the Treasury,\n\n                                                                                19\n\x0c           \xe2\x80\xa2   reconcile enrollment information with health care providers, and\n           \xe2\x80\xa2   download general accounting information to DoD agencies.\n\nAutomatic electronic files transfer directly to and from the host mainframe computer is\npreferred for input and output file interfaces. Output files are automatically transmitted\nto sites and activities using common file transfer protocols, through communication lines\nof files written to magnetic tape at the host (per data in File Transfer Tables). Interface\npartners must provide File Transfer Table data to the TSOPE for table updates. For files\nnot automatically transferred, the activity receiving DCPS data is responsible for\naccessing the host computer to retrieve (\xe2\x80\x9cpull\xe2\x80\x9d) the output file(s) from the host. In\naddition, the activity creating payroll data is responsible for developing and sending a\nDCPS input file by secure means to the processing center supporting the payroll office.\nThe payroll activities and the submitting activities establish mutually agreeable schedules\nto ensure timely receipt of data necessary to support DCPS payroll processing. TSOPE is\nresponsible for executing and monitoring interface processing, as well as resolving\ninterface processing errors or problems.\n\nB. Control Environment\n\nDCPS Management Oversight\n\nThe DFAS Information and Technology Directorate is responsible for reviewing and\napproving DCPS security policy and its certification and accreditation plan, and granting\nDCPS authority to operate. TSOPE provides not only DCPS software engineering\nsupport, but also production support and customer service. DCPS is maintained and\nexecuted on a DISA mainframe platform at DISA DECC-MECH, Pennsylvania. DISA\nDECC-MECH is part of the Center for Computing Services within the Global\nInformation Grid Combat Support Directorate, which is a Strategic Business Unit within\nDISA. DFAS and DISA have documented DCPS support services provided by DISA in\na service-level agreement that is reviewed by both agencies on an annual basis. DFAS\nand DISA have documented policies and procedures describing their respective roles and\nresponsibilities in supporting payroll functions. DISA and DFAS are Defense agencies\nthat report to the Office of the Secretary of Defense.\n\nPersonnel Policies and Procedures\n\nDFAS Payroll Offices and TSOPE\n\nPayroll office employees and contractors are required to review applicable administrative\norders, policies, and procedures with the Human Resource Office and must complete\nappropriate forms to gain access to DFAS systems. New employees must meet with the\nInformation Security (IS) Manager. The IS Manager is responsible for: (1) providing\nbasic system security awareness training, (2) securing civilians\xe2\x80\x99 and contractors\xe2\x80\x99\nsignatures on an Automated Data Processing Security Awareness disclosure form, (3)\nidentifying who an employees\xe2\x80\x99 Terminal Area Security Officer (TASO) is and what the\n                                            20\n\x0cTASO responsibilities are, and (4) notifying appropriate personnel when personnel\nactions occur. Those actions include providing access to or immediately terminating\nemployee or contractor access to DFAS automated information system resources. The\npayroll offices and TSOPE facilities require a background check before a candidate can\nbecome an employee.\n\nDISA DECC-MECH\n\nThe security manager is responsible for processing and vetting new employees and contractors\nwho are given access to DISA DECC-MECH facilities. All contractors and employees are\nrequired, at a minimum, to have a secret clearance and a positive National Agency Check. For\nemployees, the security manager coordinates with the personnel office; and for contractors, the\nsecurity manager coordinates with the contracting officer. For contractors, the security manager\nis responsible for confirming that all contractors are assigned to a valid contract, and have been\napproved to work at DISA DECC-MECH.\n\nAll new employees are required to sign DISA Form 312, \xe2\x80\x9cClassified Information Nondisclosure\nAgreement,\xe2\x80\x9d which serves as a nondisclosure agreement for sensitive and classified information.\nWhen employees are terminated, DISA requires them to sign the same Form 312 to confirm their\nunderstanding of the requirements placed upon them. New employees and contractors are\nrequired to complete a DD Form 2875, \xe2\x80\x9cSystem Authorization Access Request\xe2\x80\x9d to gain access to\nDISA systems. The security manager is responsible for vetting those forms and confirming that\nthe person requesting access has the proper clearance for the level of access requested. For\ncontractors, the security manager confirms the length of the contract and determines when\nsystem accounts should expire. All new employees and contractors must complete security\nawareness training.\n\nC. Monitoring\n\nManagement and supervisory personnel at DFAS and DISA monitor the performance quality and\ninternal control environment as a normal part of their activities. DFAS and DISA have\nimplemented a number of management, financial, and operational reports that help monitor the\nperformance of payroll processing, as well as the DCPS system. These reports are reviewed\nperiodically and action is taken as necessary. All procedural problems and exceptions to normal\nand scheduled processing are logged, reported, and resolved in a timely manner, with remedial\naction taken as necessary. In addition, several organizations within DoD perform monitoring\nactivities associated with DCPS-related internal controls.\n\nDISA Office of Inspector General\n\nThe DISA OIG is an independent office within DISA that conducts internal audits, inspections,\nand investigations. DISA-related components that support DCPS are part of the DISA OIG audit\nuniverse and are subject to audits, inspections, and investigations conducted by this office.\n\n\n\n\n                                            21\n\x0cField Security Operations\n\nThe Field Security Operations (FSO) conducts periodic System Readiness Reviews of DISA\nsystems to determine whether those systems are in compliance with documented Standard\nTechnical Implementation Guides (STIGs). The DCPS system components maintained by DISA\nare subject to FSO reviews. The FSO is independent of the DISA DECC-MECH management\nand does not maintain or configure DCPS.\n\nDoD Office of Inspector General\n\nCongress established the DoD OIG under the Inspector General Act of 1978 to conduct\nand supervise audits and investigations related to DoD programs and operations. The\nDoD OIG reports directly to the Secretary of Defense and is independent of DFAS and\nDISA. DCPS is part of the DoD OIG audit universe and is subject to financial,\noperational, and information technology audits, reviews, and special assessment projects.\n\nCertification and Accreditation\n\nDoD Instruction 5200.40, \xe2\x80\x9cDepartment of Defense Information Technology Security\nCertification and Accreditation Process (DITSCAP),\xe2\x80\x9d December 30, 1997, established a\nstandard Department-wide process, set of activities, general tasks, and management\nstructure to certify and accredit information systems that will maintain the information\nassurance and security posture of the Defense information infrastructure throughout the\nlife cycle of each system. The certification process is a comprehensive evaluation of the\ntechnical and non-technical security features of an information system and other\nsafeguards to establish the extent to which a particular design and implementation meets\nspecified security requirements and covers physical, personnel, administrative,\ninformation, information systems, and communications security. The accreditation\nprocess is a formal declaration by the designated approving authority that an information\nsystem is approved to operate in a particular security mode using a prescribed set of\nsafeguards at an acceptable level of risk.\n\nDCPS is subject to the requirements of DITSCAP and must meet all DITSCAP\ncertification and accreditation requirements throughout its lifecycle. As part of the DCPS\nDITSCAP, DFAS and DISA have developed separate SSAAs for the DCPS application\nand for the system enclave within DISA that supports the application. Each SSAA is a\nliving document that represents an agreement between the designated approving\nauthority, certifying authority, user representative, and program manager. Among other\nitems, the DCPS SSAA documents DCPS\xe2\x80\x99 mission description and system identification,\nenvironment description, system architecture description, system class, system security\nrequirements, organizations and resources, and DITSCAP plan. On a periodic basis, the\nsystem security officer must verify and validate DCPS\xe2\x80\x99 compliance with the information\nin the SSAA by conducting vulnerability evaluations, security testing and evaluation,\npenetration testing, and risk management reviews. The DCPS application SSAA was\nissued on June 30, 2005, and is valid for three years. The DISA DECC-MECH enclave\nSSAA was issued on February 27, 2006, and is valid for three years. The DCPS\napplication Authority to Operate (ATO), dated 29 July 2005, is on file with the\n\n                                           22\n\x0cInformation Assurance Manager. The DCPS ATO will be included in the annual\nMechanicsburg Unclassified Enclave SSAA package update that is submitted to the\nDISA Designated Approval Authority (DAA).\n\nD. Risk Assessment\n\nThe DITSCAP, discussed in subsection C above, includes several activities that enable\nDFAS and DISA to assess risks associated with DCPS. The DCPS application and\nenclave SSAAs document threats to DCPS and its supporting technical environment.\nThe SSAAs also contain residual risk assessments that document vulnerabilities noted\nduring DCPS tests and analyses. The information contained in the SSAAs is updated on\na periodic basis. Personnel from DFAS TSOPE and DISA DECC-MECH participate in\nrisk assessment activities.\n\nE. Information and Communication\n\nDCPS is the information system used to process civilian payroll for DoD and payroll\ncustomers from other Federal entities including the DoE, EPA, EOP, HHS, BBG, and\nVA. Payroll processing involving approximately 81 data files that interface with DCPS.\nThose interfaces are linked to other DoD financial systems, as well as external systems.\nThe majority of the interfaces is automated and must conform to documented interface\nspecifications developed by the TSOPE. The TSOPE is responsible for executing and\nmonitoring all DCPS automated interfaces.\n\nThe support relationship between DFAS and DECC-MECH is documented through a service-\nlevel agreement that includes various DFAS and DECC-MECH points of contact and liaisons\nthat should be used when DCPS issues arise. DECC-MECH has assigned a customer\nrelationship manager to work with TSOPE to resolve any DCPS processing problems or\nconcerns.\n\nDirectors and managers from TSOPE and the DISA DECC-MECH meet weekly to discuss\nDCPS processing issues. The Configuration Control Board; comprised of customer agencies,\nDISA DECC-MECH, TSOPE and payroll office personnel; review and approve functional and\nsystemic changes to DCPS. The payroll offices have help desk functions to identify and track\nDCPS user issues and problems and communicate those issues and problems to DISA DECC-\nMECH for resolution.\n\nF. Control Activities\n\nThe DCPS control objectives and related control activities provided by the DoD OIG and\napproved by DFAS and DISA are included in Section III of this report, \xe2\x80\x9cControl Objectives,\nControl Activities, and Tests of Operating Effectiveness,\xe2\x80\x9d to eliminate the redundancy that\nwould result from listing them in this section and in Section III. Although the control objectives\nand related controls are included in Section III, they are nevertheless, an integral part of the\ndescription of controls.\n\n                                            23\n\x0cG. User Organization Control Considerations\n\nDFAS and DISA control activities related to DCPS were designed with the assumption that\ncertain controls would be placed in operation at user organizations. This section describes some\nof the controls that should be in operation at user organizations to complement the controls at\nDFAS and DISA.\n\nUser organizations should have policies and procedures in place to ensure that:\n\n   \xe2\x80\xa2   the servicing payroll office is notified of all terminated employees with access to DCPS;\n\n   \xe2\x80\xa2   the local Human Resource Office is notified of all terminated employees to ensure the\n       employees are removed from the Master Employee Record in a timely manner;\n\n   \xe2\x80\xa2   all time entered by timekeepers is approved and authorized by appropriate user\n            organization management;\n\n   \xe2\x80\xa2   all Master Employee Records created represent valid employees;\n\n   \xe2\x80\xa2   all changes to the Master Employee Record are approved by appropriate user\n       organization personnel prior to payroll processing;\n\n   \xe2\x80\xa2   segregation of duties exists between those at the user organization who enter time and\n       those who enter or change Master Employee Records;\n\n   \xe2\x80\xa2   if a pseudo Social Security Number (SSN) is created, the pseudo SSN has been\n       authorized by appropriate user organization personnel and, if necessary, is accurately tied\n       to a primary and valid SSN;\n\n   \xe2\x80\xa2   user organization managers review the \xe2\x80\x9cControl of Hours\xe2\x80\x9d and other payroll-related\n       reports for appropriateness and accuracy;\n\n   \xe2\x80\xa2   all invalid time entry interface feeds are reviewed and processed by appropriate\n       user organization personnel in a controlled manner; and\n\n   \xe2\x80\xa2   all invalid personnel record interface feeds are resolved in the interface system by\n       user organization personnel with appropriate approval by user organization\n       management.\n\n\n\n\n                                            24\n\x0cSection III: Control Objectives, Control Activities, and Tests\n                 of Operating Effectiveness\n\n\n\n\n                              25\n\x0c\x0cIII. Control Objectives, Control Activities, and Tests of\n     Operating Effectiveness\n\nA. Scope Limitations\n\nThe control objectives documented in this section were specified by the DoD OIG. As\ndescribed in Section II, DCPS interfaces with many systems. The controls described and\ntested in this section of the report are limited to those computer systems, operations, and\nprocesses directly related to DCPS itself. We did not perform any procedures to evaluate\nthe integrity and accuracy of the data contained in DCPS. The controls related to the\nsource and destination systems associated with the DCPS interfaces are specifically\nexcluded from this review. In addition, we did not perform procedures to evaluate the\neffectiveness of data input, processing, and output controls within those interface\nsystems. However, we did perform procedures to evaluate DCPS controls over data input\nfrom and output to the interfacing systems.\n\nDFAS and DISA provided the Control Objective and Control Activity description\ncolumns. We populated the Tests Performed and Results of Testing columns. We\nconducted our audit for the purpose of forming an opinion on the description of the\nDCPS general and application controls at DFAS and DISA.\n\n\n\n\n                                            27\n\x0cB. Control Objectives, Control Activities, and Tests of Operating Effectiveness\n\nApplication Control Objectives, Control Activities, Tests Performed, and Results of Testing\n\n\n     No.        Control Objective                    Control Activities                          Tests Performed                    Results of Testing\n\n\n1.         Physical Access\n\n1          Controls prevent unauthorized   1.1 - Policies and procedures are          Inquired with appropriate personnel       DFAS Indianapolis:\n           physical access to DCPS data.   documented to describe that personnel      and scan policies and procedures to\n                                                                                                                                Documented policies and\n                                           payroll records and other sensitive        confirm that personnel payroll records\n                                                                                                                                procedures for the physical\n                                           information is maintained and              and other sensitive information is\n                                                                                                                                security were not in place.\n                                           disposed of in accordance with             maintained and disposed of in\n                                           Government-wide and agency-specific        accordance with Government-wide           DFAS Cleveland:\n                                           guidelines.                                and agency-specific guidelines.\n                                                                                                                                No relevant exceptions\n                                                                                      [All payroll offices]                     noted.\n\n                                           1.2 - All documents and storage media      Confirmed through corroborative           DFAS Indianapolis:\n                                           are stored in physically and               inquiry and inspection of storage\n                                                                                                                                We noted payroll\n                                           environmentally secure containers.         process documentation that\n                                                                                                                                processing locations were\n                                                                                      documents and storage media are\n                                                                                                                                not physically secured. In\n                                                                                      stored properly in environmentally\n                                                                                                                                addition, file cabinets\n                                                                                      secure containers.\n                                                                                                                                containing payroll\n                                                                                      [All payroll offices]                     information were not\n                                                                                                                                secured.\n                                                                                                                                DFAS Cleveland:\n                                                                                                                                No relevant exceptions\n                                                                                                                                noted.\n                                           1.3 - All visitors to the payroll office   Inquired with appropriate personnel       DFAS Indianapolis:\n                                           must sign in and out with the              and obtained and inspected a sample\n                                                                                                                                A visitor access process\n                                           authorized security personnel.             of visitor logs from the payroll office\n                                                                                                                                was in place at DFAS\n                                                                                      to confirm that visitors must sign-in\n                                                                                                                                Indianapolis; however,\n                                                                                      with authorized security personnel.\n                                                                                                                                individuals do not wear\n                                                                             28\n\x0cNo.   Control Objective             Control Activities                         Tests Performed                   Results of Testing\n\n                                                                                                             badges that identify them\n                                                                                                             as visitors, and we did not\n                                                                    [All payroll offices]\n                                                                                                             receive visitor logs.\n                                                                                                             DFAS Cleveland:\n                                                                                                             We noted the following for\n                                                                                                             visitor access testing:\n                                                                                                              \xe2\x80\xa2 1 of 22 sample of dates\n                                                                                                                tested did not have the\n                                                                                                                visited organization on\n                                                                                                                the visitor badge log,\n                                                                                                              \xe2\x80\xa2 4 of 22 sample of dates\n                                                                                                                tested did not have the\n                                                                                                                authorized sponsor on\n                                                                                                                visitor logs,\n                                                                                                              \xe2\x80\xa2 1 of 22 sample of dates\n                                                                                                                tested did not have the\n                                                                                                                reason for the visit on\n                                                                                                                the visitor logs,\n                                                                                                              \xe2\x80\xa2 1 of 22 sample of dates\n                                                                                                                tested did not have the\n                                                                                                                floor visited on the\n                                                                                                                visitor badge log, and\n                                                                                                              \xe2\x80\xa2 1 of 22 sample of dates\n                                                                                                                tested did not have the\n                                                                                                                visitor badge turn-in\n                                                                                                                date on the visitor\n                                                                                                                badge log.\n                          1.4 - All terminals and payroll records   Confirmed through corroborative          DFAS Indianapolis:\n                          are located in physically secured         inquiry with appropriate personnel\n                                                                                                             We noted physically\n                          locations.                                that the terminal rooms are physically\n                                                                                                             unsecured payroll\n                                                                    secure.\n                                                                                                             processing locations. In\n                                                          29\n\x0cNo.   Control Objective            Control Activities                         Tests Performed                   Results of Testing\n\n                                                                                                            addition, we noted\n                                                                                                            unsecured file cabinets that\n                                                                   [All payroll offices]                    stored payroll information.\n                                                                                                            DFAS Cleveland:\n                                                                                                            No relevant exceptions\n                                                                                                            noted.\n\n                          1.5 - Users dispose of personnel and     Confirmed through corroborative          No relevant exceptions\n                          payroll records in accordance with       inquiry with appropriate personnel       noted.\n                          Government-wide and agency-specific      that payroll records are disposed of\n                          guidelines.                              using destruction bins in accordance\n                                                                   with Government-wide and agency-\n                                                                   specific guidelines.\n\n                                                                   [All payroll offices]\n\n\n                          1.6 - Each terminal automatically        Confirmed through corroborative          No relevant exceptions\n                          disconnects from the system when not     inquiry with appropriate personnel       noted.\n                          used after a specified period of time.   that each terminal automatically\n                                                                   disconnects from the system when not\n                                                                   used after a specified period of time.\n\n                                                                   [All payroll offices]\n\n\n                          1.7 - When terminals are not in use,     Confirmed through corroborative          No relevant exceptions\n                          terminal rooms are locked, or the        inquiry with appropriate personnel       noted.\n                          terminals are can be secured.            that when terminals are not in use,\n                                                                   terminal rooms are locked, or the\n                                                                   terminals can be secured.\n\n                                                                   [All payroll offices]\n\n                                                          30\n\x0c    No.        Control Objective                    Control Activities                        Tests Performed                     Results of Testing\n\n\n2         System Access\n\n2         Controls prevent unauthorized   2.1 - The ability to view, modify, or    Inquired with appropriate personnel        DFAS Indianapolis:\n          system access to DCPS data.     transfer information contained in the    and inspected a random sample of\n                                                                                                                              Non-payroll users\n                                          payroll master files is restricted to    SAARs to confirm the following.\n                                          authorized personnel.                                                               DFAS was unable to\n                                                                                       \xe2\x80\xa2    The payroll master file and\n                                                                                                                              provide 11 of 45 selected\n                                          Each operator is required to have a               output is restricted to\n                                                                                                                              non-payroll user access\n                                          completed and authorized                          authorized personnel.\n                                                                                                                              forms.\n                                          authorization form before being\n                                          granted access to the system.                \xe2\x80\xa2    Each operator has                 We noted the following for\n                                                                                            authorization before being        the 34 non-payroll user\n                                          Authorization profiles of users limit             granted access to the system.     access forms provided:\n                                          what transactions data entry personnel\n                                          can enter.                                   \xe2\x80\xa2    User profiles limit the type of    \xe2\x80\xa2 6 of 34 non-payroll\n                                                                                            transaction data entry               user forms indicated a\n                                                                                            personnel can enter into             user type that did not\n                                                                                            DCPS.                                match the user type in\n                                                                                                                                 DCPS.\n                                                                                   [All payroll offices]\n                                                                                                                               \xe2\x80\xa2 2 of 34 non-Payroll\n                                                                                                                                 user forms indicated\n                                                                                                                                 authorization types\n                                                                                                                                 that did not match the\n                                                                                                                                 user type in the list of\n                                                                                                                                 DCPS users.\n                                                                                                                               \xe2\x80\xa2 7 of 34 non-payroll\n                                                                                                                                 user forms were\n                                                                                                                                 missing the DCPS\n                                                                                                                                 Security Awareness\n                                                                                                                                 training completion\n                                                                                                                                 date.\n                                                                                                                               \xe2\x80\xa2 1 of 34 non-payroll\n                                                                                                                                 user access forms was\n                                                                                                                                 missing the user\xe2\x80\x99s\n\n                                                                          31\n\x0cNo.   Control Objective   Control Activities        Tests Performed       Results of Testing\n\n                                                                          signature.\n\n                                                                       \xe2\x80\xa2 1 of 34 non-payroll\n                                                                         user access forms was\n                                                                         missing the\n                                                                         supervisor\xe2\x80\x99s signature.\n\n                                                                       \xe2\x80\xa2 5 of 34 non-payroll\n                                                                         user access forms were\n                                                                         missing the date of the\n                                                                         supervisor\xe2\x80\x99s approval.\n\n                                                                       \xe2\x80\xa2 13 of 34 non-payroll\n                                                                         user access forms were\n                                                                         missing the security\n                                                                         manager\xe2\x80\x99s signature.\n\n                                                                       \xe2\x80\xa2 14 of 34 non-payroll\n                                                                         user access forms were\n                                                                         missing the date of the\n                                                                         security manager\xe2\x80\x99s\n                                                                         approval.\n\n                                                                       \xe2\x80\xa2 7 of 34 non-payroll\n                                                                         user access requests\n                                                                         were processed using\n                                                                         the incorrect form.\n                                                                         Users obtained access\n                                                                         using the DCPS\n                                                                         Security Access\n                                                                         Questionnaire.\n                                                                      Payroll users\n                                                                      DFAS was unable to\n                                                                      provide 5 of 45 selected\n                                                                      payroll user access forms.\n                                               32\n\x0cNo.   Control Objective   Control Activities        Tests Performed      Results of Testing\n\n                                                                      We noted the following for\n                                                                      the 40 payroll user access\n                                                                      forms provided:\n\n                                                                       \xe2\x80\xa2 13 of 40 payroll users\n                                                                         did not complete the\n                                                                         correct form. Users\n                                                                         obtained access using\n                                                                         non-payroll user\n                                                                         access forms.\n\n                                                                       \xe2\x80\xa2 17 of 40 payroll user\n                                                                         access forms indicated\n                                                                         a user type that did not\n                                                                         match the user type\n                                                                         listed in DCPS.\n\n                                                                       \xe2\x80\xa2 6 of 40 payroll user\n                                                                         access forms were\n                                                                         missing the DCPS\n                                                                         Security Awareness\n                                                                         training completion\n                                                                         date.\n\n                                                                       \xe2\x80\xa2 3 of 40 payroll user\n                                                                         access forms were\n                                                                         missing the date of the\n                                                                         supervisor\xe2\x80\x99s signature.\n\n                                                                       \xe2\x80\xa2 5 of 40 payroll user\n                                                                         access forms were\n                                                                         missing the security\n                                                                         manager\xe2\x80\x99s signature.\n\n                                                                       \xe2\x80\xa2 7 of 40 payroll user\n                                                                         access forms were\n                                               33\n\x0cNo.   Control Objective   Control Activities        Tests Performed       Results of Testing\n\n                                                                          missing the date of the\n                                                                          security manager\xe2\x80\x99s\n                                                                          approval.\n\n                                                                       \xe2\x80\xa2 4 of 40 payroll user\n                                                                         access request were\n                                                                         processed using the\n                                                                         incorrect form. Users\n                                                                         obtained access using\n                                                                         the DCPS Security\n                                                                         Access Questionnaire.\n\n                                                                      DFAS Cleveland:\n                                                                      Non-payroll users\n                                                                      DFAS was unable to\n                                                                      provide 4 of 45 selected\n                                                                      non-payroll user access\n                                                                      forms.\n                                                                      We noted the following for\n                                                                      the 41 non-payroll user\n                                                                      access forms provided:\n                                                                       \xe2\x80\xa2 5 of 41 non-payroll\n                                                                         user forms indicated a\n                                                                         user type that did not\n                                                                         match the user type in\n                                                                         DCPS.\n\n                                                                       \xe2\x80\xa2 4 of 41 non-payroll\n                                                                         user forms indicated\n                                                                         authorization types\n                                                                         that did not match the\n                                                                         authorization type in\n                                                                         DCPS.\n\n                                               34\n\x0cNo.   Control Objective   Control Activities        Tests Performed     Results of Testing\n\n\n                                                                      \xe2\x80\xa2 9 of 41 non-payroll\n                                                                        user forms were\n                                                                        missing the DCPS\n                                                                        Security Awareness\n                                                                        training completion\n                                                                        date.\n\n                                                                      \xe2\x80\xa2 1 of 41 non-payroll\n                                                                        user access forms was\n                                                                        missing the\n                                                                        supervisor\xe2\x80\x99s signature.\n\n                                                                      \xe2\x80\xa2 5 of 41 non-payroll\n                                                                        user access forms were\n                                                                        missing the date of the\n                                                                        supervisor\xe2\x80\x99s approval.\n\n                                                                      \xe2\x80\xa2 10 of 41 non-payroll\n                                                                        user access forms were\n                                                                        missing the security\n                                                                        manager\xe2\x80\x99s signature.\n\n                                                                      \xe2\x80\xa2 13 of 41 non-payroll\n                                                                        user access forms were\n                                                                        missing the date of the\n                                                                        security manager\xe2\x80\x99s\n                                                                        approval.\n\n                                                                      \xe2\x80\xa2 6 of 41 non-payroll\n                                                                        user access requests\n                                                                        were processed using\n                                                                        the incorrect form.\n                                                                        Users obtained access\n                                                                        using the DCPS\n                                                                        Security Access\n                                                                        Questionnaire.\n                                               35\n\x0cNo.   Control Objective   Control Activities        Tests Performed       Results of Testing\n\n                                                                      Payroll users\n                                                                      DFAS was unable to\n                                                                      provide 5 of 45 selected\n                                                                      payroll user access forms.\n                                                                      We noted the following for\n                                                                      the 40 Payroll user access\n                                                                      forms provided:\n                                                                       \xe2\x80\xa2 14 of 40 payroll user\n                                                                         forms indicated a user\n                                                                         type that did not match\n                                                                         the user type listed in\n                                                                         DCPS.\n                                                                       \xe2\x80\xa2 5 of 40 payroll user\n                                                                         forms were missing\n                                                                         the user DCPS\n                                                                         Security Awareness\n                                                                         training completion\n                                                                         date.\n                                                                       \xe2\x80\xa2 1 of 40 payroll user\n                                                                         access forms was\n                                                                         missing the user\xe2\x80\x99s\n                                                                         signature.\n\n                                                                       \xe2\x80\xa2 3 of 40 payroll user\n                                                                         access forms were\n                                                                         missing the date of the\n                                                                         supervisor\xe2\x80\x99s approval.\n\n                                                                       \xe2\x80\xa2 5 of 40 payroll user\n                                                                         access forms were\n                                                                         missing the security\n                                                                         manager\xe2\x80\x99s signature.\n\n\n                                               36\n\x0cNo.   Control Objective   Control Activities        Tests Performed     Results of Testing\n\n\n                                                                      \xe2\x80\xa2 8 of 40 payroll user\n                                                                        access forms were\n                                                                        missing the date of the\n                                                                        security manager\xe2\x80\x99s\n                                                                        approval.\n\n                                                                      \xe2\x80\xa2 12 of 40 payroll access\n                                                                        request forms were\n                                                                        processed using the\n                                                                        incorrect non-payroll\n                                                                        user form for payroll\n                                                                        user type access.\n\n\n\n\n                                               37\n\x0cNo.   Control Objective             Control Activities                          Tests Performed                   Results of Testing\n\n\n                          2.2 - Policies and procedures are          Inquired with appropriate personnel       No relevant exceptions\n                          documented to describe how                 and inspected policies and procedures     noted.\n                          application users are appropriately        to confirm that users are appropriately\n                          identified and authenticated. Access to    identified and authenticated and that\n                          the application and output is restricted   access to the application and output is\n                          to authorized users for authorized         restricted to authorized users for\n                          purposes.                                  authorized purposes.\n\n                                                                     [All payroll offices]\n\n\n                          2.3 - On-line access logs are              Inquired with appropriate personnel       No relevant exceptions\n                          maintained by the System                   and inspected access logs and e-mails     noted.\n                          Management Office and are reviewed         for unauthorized access attempts to\n                          regularly for unauthorized access          confirm that logs are maintained by\n                          attempts.                                  the System Management Office and\n                                                                     are reviewed regularly for\n                                                                     unauthorized access attempts.\n\n                                                                     [All payroll offices]\n\n\n                          2.4 - Remote terminal connections are      Inquired with appropriate personnel       No relevant exceptions\n                          secured and connected through              and inspected remote terminal             noted.\n                          Government-issued computers.               connections to confirm that they are\n                                                                     secured and are connected through\n                                                                     Government computers.\n\n\n                                                                     Obtained a complete listing of all new\n                                                                     DFAS Civilian Pay users with remote\n                                                                     access from10/1/2007 to 3/31/2008.\n                                                                     Selected a sample of users and\n                                                                     obtained the remote access packages\n                                                                     to confirm that it included a:\n                                                          38\n\x0c    No.        Control Objective                 Control Activities                        Tests Performed                    Results of Testing\n\n\n                                                                                    \xe2\x80\xa2    Remote User Access Request\n                                                                                         Form and associated\n                                                                                         approvals and\n                                                                                    \xe2\x80\xa2    Memorandum of Agreement\n                                                                                [All payroll offices]\n\n\n                                        2.5 - Data entry terminals are          Confirmed through corroborative           DFAS Indianapolis:\n                                        connected to the system only during     inquiry with appropriate personnel\n                                                                                                                          We noted no physical\n                                        specified periods of the day, which     that terminals are not authorized to be\n                                                                                                                          security controls in place\n                                        correspond with the business hours of   connected after business hours.\n                                                                                                                          to restrict after business\n                                        the data entry personnel.\n                                                                                                                          hours access to the\n                                                                                [All payroll offices]\n                                                                                                                          terminals.\n                                                                                                                          DFAS Cleveland:\n                                                                                                                          No relevant exceptions\n                                                                                                                          noted.\n\n\n                                        2.6 - User IDs and passwords are        Confirmed through corroborative           No relevant exceptions\n                                        required to gain access to the DCPS     inquiry with appropriate personnel        noted.\n                                        application.                            and inspected the DCPS log-in screen\n                                                                                to confirm that user IDs and\n                                                                                passwords are required to gain access\n                                                                                to the DCPS application.\n\n                                                                                [All payroll offices]\n\n\n3         Restricted Access\n\n3         Controls provide reasonable   3.1 - The detailed 592 Reconciliation   Inquired with appropriate personnel       DFAS Indianapolis:\n          assurance that DCPS           shows all pertinent data describing     and inspected a random sample of 592\n                                                                       39\n\x0cNo.         Control Objective                    Control Activities                         Tests Performed                   Results of Testing\n\n      authorized users are restricted   that the payroll (including total        Reconciliations for each database to     DFAS was unable to\n      to access only areas needed to    disbursements, Retirement, TSP,          confirm the following:                   provide 8 of 45 592\n      complete their assigned           Bonds, and other withholdings) and                                                Reconciliations requested.\n      responsibilities, and controls    related balances are reconciled in the\n      maintain segregation of duties.   appropriate accounting period to          \xe2\x80\xa2 The detailed payroll reconciliation    \xe2\x80\xa2 1 of 45 592\n                                        corresponding general ledger accounts       shows pertinent data describing          Reconciliations did not\n                                        within DCPS. All reconciling items          that the payroll (including total        balance and did not\n                                        are investigated and cleared in a           disbursements, Retirement, TSP,          have a supplemental\n                                        timely manner by supervisory                Bonds, and other withholdings)           592 Reconciliation\n                                        personnel, prior to disbursement.           and related balances are                 prepared.\n                                                                                    reconciled in the appropriate\n                                                                                    accounting period to                   \xe2\x80\xa2 1 of 45 592\n                                                                                    corresponding general ledger             Reconciliations did not\n                                                                                    accounts within DCPS.                    contain a signed report\n                                                                                                                             of withholdings.\n                                                                                  \xe2\x80\xa2 Each 592 Reconciliation is\n                                                                                                                          DFAS Cleveland:\n                                                                                    approved by management prior to\n                                                                                    disbursement.                         No relevant exceptions\n                                                                                                                          noted.\n                                                                                  \xe2\x80\xa2 Reconciling items are investigated\n                                                                                    and cleared in a timely manner by\n                                                                                    supervisory personnel, prior to\n                                                                                    disbursement.\n\n                                                                                 [All payroll offices]\n\n\n                                        3.2 - Summary payroll reports            Inquired with appropriate personnel      DFAS Indianapolis:\n                                        including Online Queries (OLQs) of       and inspected summary reports and\n                                                                                                                          592 Reconciliations\n                                        total disbursements, Retirement, TSP,    OLQs reviewed and approved by\n                                        Bonds, and other withholdings are        management prior to disbursement.        DFAS personnel used the\n                                        reviewed and approved by                                                          592 Balancing Desk\n                                        management prior to disbursement.        [All payroll offices]                    Guide; however, a policy\n                                                                                                                          regarding document\n                                                                                                                          retention was not in place.\n                                                                                                                          Specifically, there was no\n                                                                       40\n\x0cNo.   Control Objective   Control Activities        Tests Performed       Results of Testing\n\n                                                                      requirement to retain the\n                                                                      printed and reviewed\n                                                                      report checklist or the\n                                                                      signed Report of\n                                                                      Withholdings.\n\n                                                                      Management Summary\n                                                                      Reports\n\n                                                                      No policy was in place that\n                                                                      required a complete and\n                                                                      accurate listing of\n                                                                      management summary\n                                                                      reports generated and\n                                                                      reviewed by Civilian Pay\n                                                                      Processing Personnel.\n\n                                                                      DFAS was unable to\n                                                                      provide the Separation\n                                                                      Actions without\n                                                                      Separations Codes Desk\n                                                                      Guide.\n                                                                      The Less than $1 Over\n                                                                      $5,000 Desk Guide did not\n                                                                      have an increased\n                                                                      threshold amount of\n                                                                      $10,000 in the review\n                                                                      procedures.\n                                                                      DFAS Cleveland:\n                                                                      DD 592 Reconciliations\n                                                                      DFAS personnel used the\n                                                                      Balancing Desk Guide;\n                                                                      however, a policy\n\n                                               41\n\x0cNo.   Control Objective   Control Activities        Tests Performed       Results of Testing\n\n                                                                      regarding document\n                                                                      retention was not in place.\n                                                                      Specifically, there was no\n                                                                      requirement to retain the\n                                                                      printed and reviewed\n                                                                      report checklist or the\n                                                                      signed Report of\n                                                                      Withholdings.\n\n                                                                      Management Summary\n                                                                      Reports\n\n                                                                      No policy was in place that\n                                                                      required a complete and\n                                                                      accurate listing of\n                                                                      management summary\n                                                                      reports generated and\n                                                                      reviewed by Civilian Pay\n                                                                      Processing personnel\n\n                                                                      DFAS was unable to\n                                                                      provide the Desk Guides\n                                                                      for the following critical\n                                                                      reports:\n\n                                                                      \xe2\x80\xa2   Separation Action\n                                                                          without Separation\n                                                                          Codes Desk Guide,\n                                                                      \xe2\x80\xa2   Dual SSN/Mongoose\n                                                                          Desk Guide, and\n                                                                      \xe2\x80\xa2   P6702R01 - Invalid\n                                                                          SSN/Deceased\n                                                                          Employees/Negative\n                                                                          Year-To-Date Desk\n                                                                          Guide.\n\n                                               42\n\x0c    No.         Control Objective                      Control Activities                         Tests Performed                   Results of Testing\n\n\n4         System and Software Changes\n\n4         Controls provide reasonable        Not applicable as this is tested by the   Not Applicable as this is tested by the   Not Applicable as this is\n          assurance that system and          General Computer Controls. Please         General Computer Controls. Please         tested by the General\n          software changes are               see control objectives 13.1-13.6          see control objectives 13.1-13.6          Computer Controls. Please\n          authorized, effectively and                                                                                            see control objectives\n          efficiently implemented, tested,                                                                                       13.1-13.6\n          and documented. (General\n          Computer controls only)\n\n5                                                        [ This control objective was intentionally left blank]\n\n6         Enterprise-Wide Security Program\n\n6         Controls include an enterprise-    6.1 - A Security Program has been         Inquired with appropriate personnel to    No relevant exceptions\n          wide security program to           prepared specific to payroll operations   confirm a Security Program for            noted.\n          review and manage risks and        and is approved by management. The        payroll operations exists. Obtained\n          ensure that policies comply        plan is regularly tested and updated to   and inspected the date of the plans and\n          with laws and regulations.         reflect the results of such tests.        corroborated with management that\n                                                                                       these plans are current, contain up-to-\n                                                                                       date information, and are readily\n                                                                                       available to all relevant personnel.\n                                                                                       Inquired with management to confirm\n                                                                                       that the plans have been approved.\n\n\n                                                                                       [All payroll offices]\n\n\n7         Personnel and Payroll Data\n\n7         Controls provide reasonable        7.1 - Policies and procedures are         Inquired with appropriate personnel       No relevant exceptions\n          assurance that personnel and       documented to describe that only valid    and inspected policies and procedures     noted.\n          payroll data processed and         and accurate changes are made to the      to confirm that only valid changes are\n          stored at the DFAS and DISA        payroll master files and payroll          made to the payroll master files and\n                                                                              43\n\x0cNo.         Control Objective                      Control Activities                       Tests Performed                    Results of Testing\n\n      General Computer Control           withholding tables.                     payroll withholding tables.\n      locations are valid, accurate\n      and authorized, complete, and                                              [All payroll offices]\n      timely, and support financial\n      reporting requirements, and        7.2 - Programmed validation and edit    Inquired with appropriate personnel       No relevant exceptions\n      provide sufficient audit trails.   checks identify erroneous data.         and observed programmed validation        noted.\n                                                                                 and edit checks to confirm that they\n                                                                                 identify erroneous data entered\n                                                                                 directly into DCPS.\n\n\n                                                                                 [All payroll offices]\n\n\n                                         7.3 - The ability to view, modify, or   Inquired with appropriate personnel       DFAS Indianapolis:\n                                         transfer information contained in the   and inspected a random sample of\n                                                                                                                           Non-payroll users\n                                         payroll master files is restricted to   SAARs to confirm the following.\n                                         authorized personnel.                                                             DFAS was unable to\n                                                                                     \xe2\x80\xa2    The payroll master file and\n                                                                                                                           provide 11 of 45 selected\n                                                                                          output is restricted to\n                                                                                                                           non-payroll user access\n                                                                                          authorized personnel.\n                                                                                                                           forms.\n                                                                                     \xe2\x80\xa2    Each operator is authorized      We noted the following for\n                                                                                          before being granted access      the 34 non-payroll user\n                                                                                          to the system.                   access forms provided:\n                                                                                     \xe2\x80\xa2    Confirm user profiles limit       \xe2\x80\xa2 6 of 34 non-payroll\n                                                                                          the type of transactions data       user forms indicated a\n                                                                                          entry personnel can enter into      user type that did not\n                                                                                          DCPS.                               match the user type in\n                                                                                                                              DCPS.\n                                                                                 [All payroll offices]\n                                                                                                                            \xe2\x80\xa2 7 of 34 non-payroll\n                                                                                                                              user forms were\n                                                                                                                              missing the DCPS\n                                                                                                                              Security Awareness\n\n\n                                                                         44\n\x0cNo.   Control Objective   Control Activities        Tests Performed     Results of Testing\n\n\n\n                                                                        training completion\n                                                                        date.\n                                                                      \xe2\x80\xa2 2 of 34 non-payroll\n                                                                        user forms indicated a\n                                                                        user type that did not\n                                                                        match the user type in\n                                                                        DCPS.\n\n                                                                      \xe2\x80\xa2 1 of 34 non-payroll\n                                                                        user access forms was\n                                                                        missing the user\xe2\x80\x99s\n                                                                        signature.\n\n                                                                      \xe2\x80\xa2 1 of 34 non-payroll\n                                                                        user access forms was\n                                                                        missing the\n                                                                        supervisor\xe2\x80\x99s signature.\n\n                                                                      \xe2\x80\xa2 5 of 34 non-payroll\n                                                                        user access forms were\n                                                                        missing the date of the\n                                                                        supervisor\xe2\x80\x99s approval.\n\n                                                                      \xe2\x80\xa2 13 of 34 non-payroll\n                                                                        user access forms were\n                                                                        missing the security\n                                                                        manager\xe2\x80\x99s signature.\n\n                                                                      \xe2\x80\xa2 14 of 34 non-payroll\n                                                                        user access forms were\n                                                                        missing the date of the\n                                                                        security manager\xe2\x80\x99s\n                                                                        approval.\n\n\n                                               45\n\x0cNo.   Control Objective   Control Activities        Tests Performed       Results of Testing\n\n\n                                                                       \xe2\x80\xa2 7 of 34 non-payroll\n                                                                         user access requests\n                                                                         were processed using\n                                                                         the incorrect form.\n                                                                         User obtained access\n                                                                         using the DCPS\n                                                                         Security Access\n                                                                         Questionnaire.\n                                                                      Payroll users\n                                                                      DFAS was unable to\n                                                                      provide 5 of 45 selected\n                                                                      payroll user access forms.\n\n                                                                      We noted the following for\n                                                                      the 40 payroll user access\n                                                                      forms provided:\n\n                                                                       \xe2\x80\xa2 13 of 40 payroll user\n                                                                         access forms were the\n                                                                         incorrect form. Users\n                                                                         obtained access using\n                                                                         non-payroll user\n                                                                         access forms.\n\n                                                                       \xe2\x80\xa2 17 of 40 payroll user\n                                                                         access forms indicated\n                                                                         user types that did not\n                                                                         match the user type in\n                                                                         listed in DCPS.\n\n                                                                       \xe2\x80\xa2 6 of 40 payroll user\n                                                                         access forms were\n                                                                         missing the DCPS\n                                                                         Security Awareness\n                                                                         completion date.\n                                               46\n\x0cNo.   Control Objective   Control Activities        Tests Performed       Results of Testing\n\n\n\n                                                                       \xe2\x80\xa2 3 of 40 payroll user\n                                                                         access forms were\n                                                                         missing the date of the\n                                                                         supervisor\xe2\x80\x99s signature.\n\n                                                                       \xe2\x80\xa2 5 of 40 payroll user\n                                                                         access forms were\n                                                                         missing the Security\n                                                                         manager\xe2\x80\x99s signature.\n\n                                                                       \xe2\x80\xa2 7 of 40 payroll user\n                                                                         access forms were\n                                                                         missing the date of the\n                                                                         security manager\xe2\x80\x99s\n                                                                         approval.\n\n                                                                       \xe2\x80\xa2 4 of 40 payroll user\n                                                                         access forms processed\n                                                                         were incorrect forms.\n                                                                         Users obtained access\n                                                                         using the DCPS\n                                                                         Security\n                                                                         Questionnaire.\n                                                                      DFAS Cleveland:\n                                                                      Non-payroll users\n                                                                      DFAS was unable to\n                                                                      provide 4 of 45 selected\n                                                                      non-payroll user access\n                                                                      forms.\n                                                                      We noted the following for\n                                                                      the 41 non-payroll user\n                                                                      access forms provided:\n\n                                               47\n\x0cNo.   Control Objective   Control Activities        Tests Performed     Results of Testing\n\n\n                                                                      \xe2\x80\xa2 5 of 41 non-payroll\n                                                                        user forms indicated a\n                                                                        user type that did not\n                                                                        match the user type in\n                                                                        DCPS.\n                                                                      \xe2\x80\xa2 4 of 41 non-payroll\n                                                                        user forms indicated\n                                                                        authorization types\n                                                                        that did not match the\n                                                                        authorization type in\n                                                                        DCPS.\n                                                                      \xe2\x80\xa2 9 of 41 non-payroll\n                                                                        user forms were\n                                                                        missing the completion\n                                                                        date for the DCPS\n                                                                        Security Awareness\n                                                                        training.\n                                                                      \xe2\x80\xa2 1 of 41 non-payroll\n                                                                        user access forms was\n                                                                        missing the\n                                                                        supervisor\xe2\x80\x99s signature.\n\n                                                                      \xe2\x80\xa2 5 of 41 non-payroll\n                                                                        user access forms were\n                                                                        missing the date of the\n                                                                        supervisor\xe2\x80\x99s approval.\n\n                                                                      \xe2\x80\xa2 10 of 41 non-payroll\n                                                                        user access forms were\n                                                                        missing the security\n                                                                        manager\xe2\x80\x99s signature.\n\n                                                                      \xe2\x80\xa2 13 of 41 non-payroll\n                                                                        user access forms were\n                                               48\n\x0cNo.   Control Objective   Control Activities        Tests Performed       Results of Testing\n\n                                                                          missing the date of the\n                                                                          security manager\xe2\x80\x99s\n                                                                          approval.\n\n                                                                       \xe2\x80\xa2 6 of 41 non-payroll\n                                                                         user access forms were\n                                                                         the incorrect form.\n                                                                         The user obtained\n                                                                         access using the DCPS\n                                                                         Security Access\n                                                                         Questionnaire.\n\n                                                                      Payroll users\n                                                                      DFAS was unable to\n                                                                      provide 5 of 45 selected\n                                                                      Payroll user access forms.\n                                                                      We noted the following for\n                                                                      the 40 payroll user access\n                                                                      forms provided:\n                                                                       \xe2\x80\xa2 14 of 40 payroll user\n                                                                         forms indicated a user\n                                                                         type that did not match\n                                                                         the user type listed in\n                                                                         DCPS.\n                                                                       \xe2\x80\xa2 5 of 40 payroll user\n                                                                         forms were missing\n                                                                         the DCPS Security\n                                                                         Awareness training\n                                                                         completion date.\n                                                                       \xe2\x80\xa2 1 of 40 payroll user\n                                                                         access forms did not\n                                                                         include the user\xe2\x80\x99s\n                                                                         signature.\n\n                                               49\n\x0cNo.   Control Objective   Control Activities        Tests Performed     Results of Testing\n\n\n\n                                                                      \xe2\x80\xa2 3 of 40 payroll user\n                                                                        access forms were\n                                                                        missing the date of the\n                                                                        supervisor\xe2\x80\x99s approval.\n\n                                                                      \xe2\x80\xa2 5 of 40 payroll user\n                                                                        access forms were\n                                                                        missing the security\n                                                                        manager\xe2\x80\x99s signature.\n\n                                                                      \xe2\x80\xa2 10 of 40 payroll user\n                                                                        access forms were\n                                                                        missing the date of the\n                                                                        security manager\xe2\x80\x99s\n                                                                        approval.\n\n                                                                      \xe2\x80\xa2 2 of 40 forms\n                                                                        processed were the\n                                                                        incorrect form.\n                                                                      \xe2\x80\xa2 12 of 40 selected\n                                                                        payroll user access\n                                                                        forms were processed\n                                                                        using the incorrect\n                                                                        non-payroll user form.\n\n\n\n\n                                               50\n\x0cNo.   Control Objective             Control Activities                         Tests Performed                   Results of Testing\n\n\n                          7.4 - Changes to the payroll               Inquired with appropriate personnel      No relevant exceptions\n                          withholding tables and master files are    and inspected documentation              noted.\n                          compared to authorized source              regarding the process of tax changes\n                          documents by supervisory personnel         to the payroll withholding tables and\n                          to ensure that they were input             master files being compared to\n                          accurately.                                authorized source documents by\n                                                                     supervisory personnel to confirm that\n                                                                     they were reviewed and approved.\n\n                                                                     Inquired with appropriate personnel\n                                                                     and inspected the Imaging process to\n                                                                     confirm that inputs are compared to\n                                                                     authorized Imaging source documents\n                                                                     and input accurately.\n                                                                     [Indianapolis payroll office]\n\n\n                          7.5 - The system provides an audit         Inquired with appropriate personnel      No relevant exceptions\n                          trail of all transactions processed,       and inspected audit trails of            noted.\n                          transaction errors, error descriptions,    transactions to confirm that erroneous\n                          and error correction procedures.           transactions are reviewed by\n                          Audit trails are reviewed by               supervisory personnel, and captured,\n                          supervisory personnel and erroneous        reported, investigated, and corrected.\n                          data are captured, reported,\n                                                                     [Pensacola TSO]\n                          investigated, and corrected.\n                          7.6 - Policies and procedures are          Inquired with appropriate personnel      No relevant exceptions\n                          documented to describe that                and inspected policies and procedures    noted.\n                          transactions from interfacing systems      to confirm that transactions from\n                          are subjected to the payroll system        interfacing systems are subjected to\n                          edits, validations, and error-correction   the payroll system edits, validations,\n                          procedures.                                and error-correction procedures.\n                                                                     [Pensacola TSO]\n\n\n                                                           51\n\x0cNo.   Control Objective            Control Activities                        Tests Performed                    Results of Testing\n\n\n                          7.7 - Policies and procedures are       Inquired with appropriate personnel       No relevant exceptions\n                          documented to describe that changes     and inspected policies and procedures     noted.\n                          made to the payroll master files and    to confirm that changes to the payroll\n                          withholding tables are authorized,      master files and withholding tables are\n                          input, and processed timely.            authorized, input, and processed\n                                                                  timely.\n\n                                                                  [Cleveland payroll office]\n\n\n                          7.8 - Policies and procedures are       Inquired with appropriate personnel       No relevant exceptions\n                          documented to describe that changes     and inspected policies and procedures     noted.\n                          made to the payroll master files and    to confirm that changes to the payroll\n                          withholding tables are authorized,      master files and withholding tables are\n                          input, and processed timely.            authorized, input, and processed\n                                                                  timely.\n\n                                                                  [Indianapolis payroll office]\n\n                          7.9 - Changes to the payroll master     Inquired with appropriate personnel       DFAS Indianapolis:\n                          file and withholding table data are     and inspected management summary\n                                                                                                            Management Summary\n                          logged in numerous reports and          reports to confirm that changes to the\n                                                                                                            Reports\n                          reviewed by supervisory personnel to    payroll master file and table data are\n                          ensure that all requested changes are   logged and reviewed by supervisory\n                                                                                                            The management summary\n                          processed timely.                       personnel.\n                                                                                                            reports for the audit period\n                                                                                                            were not available;\n                                                                  [All payroll offices]\n                                                                                                            therefore, no tests were\n                                                                                                            performed.\n\n                                                                                                            DFAS was unable to\n                                                                                                            provide the Separation\n                                                                                                            Actions without\n                                                                                                            Separations Codes Desk\n                                                                                                            Guide.\n\n                                                         52\n\x0cNo.   Control Objective   Control Activities        Tests Performed       Results of Testing\n\n\n\n                                                                      The Less than $1 Over\n                                                                      $5,000 Desk Guide did not\n                                                                      have an increased\n                                                                      threshold amount of\n                                                                      $10,000 in the review\n                                                                      procedures.\n                                                                      DFAS Cleveland:\n                                                                      Management Summary\n                                                                      Reports\n\n                                                                      The management summary\n                                                                      reports for the audit period\n                                                                      were not available;\n                                                                      therefore, no tests were\n                                                                      performed.\n\n                                                                      DFAS was unable to\n                                                                      provide the following\n                                                                      Desk Guides for the\n                                                                      following critical reports:\n\n                                                                      \xe2\x80\xa2   Separation Action\n                                                                          without Separation\n                                                                          Codes Desk Guide,\n                                                                      \xe2\x80\xa2   Dual SSN/Mongoose\n                                                                          Desk Guide, and\n                                                                      \xe2\x80\xa2   P6702R01 - Invalid\n                                                                          SSN/Deceased\n                                                                          Employees/Negative\n                                                                          Year-To-Date Desk\n                                                                          Guide.\n\n\n                                               53\n\x0cNo.   Control Objective            Control Activities                         Tests Performed                   Results of Testing\n\n\n                          7.10 - Requests to change the payroll    Inquired with appropriate personnel      DFAS Indianapolis:\n                          master file data and withholding table   and inspected a random sample of\n                                                                                                            4 of 45 Remedy Tickets\n                          are submitted on pre-numbered            Remedy Tickets to confirm that the:\n                                                                                                            were not resolved within\n                          Remedy Tickets; the numerical\n                          sequence of the Remedy Tickets is            \xe2\x80\xa2    requests were pre-numbered;     the required DFAS\n                                                                                                            Indianapolis processing\n                          accounted for to ensure that the             \xe2\x80\xa2    sequence was accounted for      schedule.\n                          requested changes are processed                   so that the forms were\n                          timely; access to source documents is             accounted for timely;           DFAS Cleveland:\n                          controlled; and key source documents\n                          require signatures from supervisory          \xe2\x80\xa2    tickets were processed in a     No relevant exceptions\n                                                                            timely manner; and              noted.\n                          personnel.\n                                                                       \xe2\x80\xa2    access to the source\n                                                                            documents was controlled.\n\n                                                                   [All payroll offices]\n\n                          7.11 - Payroll master file data and      Inquired with appropriate personnel      DFAS Indianapolis:\n                          withholding table data are edited and    and inspected a sample of Personnel\n                          validated and errors identified on the   Interface Invalid Reports of erroneous   DFAS was unable to\n                          Personnel Interface Invalid Report are   transactions to confirm that items are   provide 12 of 45 PIIRs\n                          corrected promptly.                      investigated and resolved.               requested.\n\n                                                                                                            We noted the following for\n                                                                   [All payroll offices]\n                                                                                                            the remaining 33 PIIRs:\n\n                                                                                                             \xe2\x80\xa2 3 of 33 PIIRs did not\n                                                                                                               include annotations\n                                                                                                               using the proper\n                                                                                                               standard codes.\n\n                                                                                                             \xe2\x80\xa2 2 of 33 PIIRs did not\n                                                                                                               include the dates the\n                                                                                                               payroll technician\n                                                                                                               addressed the errors.\n\n                                                         54\n\x0cNo.   Control Objective   Control Activities        Tests Performed       Results of Testing\n\n\n\n                                                                      DFAS Cleveland:\n\n                                                                      DFAS was unable to\n                                                                      provide 16 of 45 PIIRs\n                                                                      requested.\n\n                                                                      We noted the following for\n                                                                      the remaining 29 PIIR;\n\n                                                                       \xe2\x80\xa2 1 of 29 available PIIRs\n                                                                         was missing the\n                                                                         payroll technician\xe2\x80\x99s\n                                                                         signature.\n\n                                                                       \xe2\x80\xa2 1 of 29 PIIRs did not\n                                                                         include the date the\n                                                                         payroll technician\n                                                                         annotated the report.\n\n\n\n\n                                               55\n\x0cNo.   Control Objective            Control Activities                         Tests Performed                  Results of Testing\n\n\n                          7.12 - Policies and procedures are       Inquired with appropriate personnel     DFAS Indianapolis:\n                          documented to describe that payroll      and inspected policies and procedures\n                                                                                                           592 Reconciliations\n                          processing is accurate and recorded in   to confirm that payroll processing is\n                          the proper period.                       accurate and recorded in the            DFAS personnel use the\n                                                                   appropriate period.                     592 Balancing Desk\n                                                                                                           Guide; however, a policy\n                                                                   [All payroll offices]                   regarding document\n                                                                                                           retention was not in place.\n                                                                                                           Specifically, there was no\n                                                                                                           requirement to retain the\n                                                                                                           printed and reviewed\n                                                                                                           report checklist or the\n                                                                                                           signed Report of\n                                                                                                           Withholdings.\n\n                                                                                                           Management Summary\n                                                                                                           Reports\n\n                                                                                                           The management summary\n                                                                                                           reports for the audit period\n                                                                                                           were not available;\n                                                                                                           therefore, no tests were\n                                                                                                           performed.\n\n                                                                                                           DFAS was unable to\n                                                                                                           provide the Separation\n                                                                                                           Actions without\n                                                                                                           Separations Codes Desk\n                                                                                                           Guide.\n\n                                                                                                           The Less than $1 Over\n                                                                                                           $5,000 Desk Guide did not\n                                                                                                           have an increased\n                                                                                                           threshold amount of\n                                                                                                           $10,000 in the review\n\n                                                         56\n\x0cNo.   Control Objective   Control Activities        Tests Performed       Results of Testing\n\n                                                                      procedures.\n                                                                      DFAS Cleveland:\n                                                                      592 Reconciliations\n                                                                      DFAS personnel use the\n                                                                      592 Balancing Desk\n                                                                      Guide; however, a policy\n                                                                      regarding document\n                                                                      retention was not in place.\n                                                                      Specifically, there was no\n                                                                      requirement to retain the\n                                                                      printed and reviewed\n                                                                      report checklist or the\n                                                                      signed Report of\n                                                                      Withholdings.\n\n\n\n\n                                               57\n\x0cNo.   Control Objective   Control Activities        Tests Performed       Results of Testing\n\n\n\n                                                                      Management Summary\n                                                                      Reports\n\n                                                                      The management summary\n                                                                      reports for the audit period\n                                                                      were not available;\n                                                                      therefore, no tests were\n                                                                      performed.\n\n                                                                      DFAS was unable to\n                                                                      provide the Desk Guides\n                                                                      for the following critical\n                                                                      reports:\n\n                                                                      \xe2\x80\xa2   Separation Action\n                                                                          without Separation\n                                                                          Codes Desk Guide,\n                                                                      \xe2\x80\xa2   Dual SSN/Mongoose\n                                                                          Desk Guide, and\n                                                                      \xe2\x80\xa2\n                                                                      \xe2\x80\xa2   P6702R01 - Invalid\n                                                                          SSN/Deceased\n                                                                          Employees/Negative\n                                                                          Year-To-Date Desk\n                                                                          Guide.\n\n\n\n\n                                               58\n\x0cNo.   Control Objective            Control Activities                      Tests Performed                    Results of Testing\n\n                                                                Inquired with appropriate personnel\n                          7.13 - Compliance with the payroll                                              DFAS Indianapolis:\n                                                                and inspected pay processing\n                          disbursement processing schedule is\n                                                                schedules and the payroll                 592 Reconciliations\n                          monitored by management.\n                                                                disbursement process to confirm the\n                                                                                                          DFAS personnel used the\n                                                                monitoring of payroll disbursement\n                                                                processing schedule by management.        592 Balancing Desk\n                                                                                                          Guide; however, a policy\n                                                                                                          regarding document\n                                                                Inspected a random sample of 592\n                                                                reconciliations to confirm that payroll   retention was not in place.\n                                                                disbursement is approved and              Specifically, there was no\n                                                                monitored by management.                  requirement to retain the\n                                                                                                          printed and reviewed\n                                                                                                          report checklist or the\n                                                                [All payroll offices]\n                                                                                                          signed Report of\n                                                                                                          Withholdings.\n                                                                                                          DFAS was unable to\n                                                                                                          provide 8 of 45\n                                                                                                          reconciliations that\n                                                                                                          provided evidence of\n                                                                                                          reconciliation, final\n                                                                                                          review, and disbursement\n                                                                                                          of payroll.\n\n                                                                                                          Management Summary\n                                                                                                          Reports\n\n                                                                                                          The management summary\n                                                                                                          reports for the audit period\n                                                                                                          were not available;\n                                                                                                          therefore, no tests were\n                                                                                                          performed.\n\n                                                                                                          DFAS was unable to\n                                                                                                          provide the Separation\n                                                                                                          Actions without\n\n                                                        59\n\x0cNo.   Control Objective   Control Activities        Tests Performed       Results of Testing\n\n\n\n                                                                      Separations Codes Desk\n                                                                      Guide.\n\n                                                                      The Less than $1 Over\n                                                                      $5,000 Desk Guide did not\n                                                                      have an increased\n                                                                      threshold amount of\n                                                                      $10,000 in the review\n                                                                      procedures.\n                                                                      DFAS Cleveland:\n                                                                      592 Reconciliations\n                                                                      DFAS personnel use the\n                                                                      592 Balancing Desk\n                                                                      Guide; however, a policy\n                                                                      regarding document\n                                                                      retention was not in place.\n                                                                      Specifically, there was no\n                                                                      requirement to retain the\n                                                                      printed and reviewed\n                                                                      report checklist or the\n                                                                      signed Report of\n                                                                      Withholdings.\n\n                                                                      10 of 45 selected\n                                                                      reconciliations were\n                                                                      missing documentation of\n                                                                      a final disbursement\n                                                                      authorization.\n\n                                                                      Management Summary\n                                                                      Reports\n\n\n                                               60\n\x0cNo.   Control Objective   Control Activities        Tests Performed       Results of Testing\n\n                                                                      The management summary\n                                                                      reports for the audit period\n                                                                      were not available;\n                                                                      therefore, no tests were\n                                                                      performed.\n\n                                                                      DFAS was unable to\n                                                                      provide the Desk Guides\n                                                                      for the following critical\n                                                                      reports:\n\n                                                                      \xe2\x80\xa2   Separation Action\n                                                                          without Separation\n                                                                          Codes Desk Guide,\n                                                                      \xe2\x80\xa2   Dual SSN/Mongoose\n                                                                          Desk Guide, and\n                                                                      \xe2\x80\xa2   P6702R01 - Invalid\n                                                                          SSN/Deceased\n                                                                          Employees/Negative\n                                                                          Year-To-Date Desk\n                                                                          Guide.\n\n\n\n\n                                               61\n\x0cNo.   Control Objective             Control Activities                         Tests Performed                    Results of Testing\n\n\n                          7.14 - The detailed 592 payroll           Inquired with appropriate personnel       DFAS Indianapolis:\n                          reconciliation shows all pertinent data   and inspected a random sample of 592\n                                                                                                              DFAS was unable to\n                          describing the payroll (including total   Reconciliations for each database to\n                                                                                                              provide 8 of 45\n                          disbursements, Retirement, TSP,           confirm:\n                                                                                                              reconciliations requested.\n                          Bonds, and other withholdings) and\n                          the related balances are reconciled, in   \xe2\x80\xa2   the detailed payroll reconciliation\n                                                                                                              Of the remaining 32 592\n                          the appropriate accounting period, to         shows pertinent data describing\n                                                                                                              reconciliations:\n                          corresponding general ledger accounts         the payroll (including total\n                          within DCPS. All reconciling items            disbursements, Retirement, TSP,       \xe2\x80\xa2   1 592 reconciliation\n                          are investigated and cleared on a             Bonds, and other withholdings)            did not balance, and a\n                          timely basis by supervisory personnel,        and the related balances are              supplemental was not\n                          prior to disbursement.                        reconciled in the appropriate             prepared; and\n                                                                        accounting period to\n                                                                        corresponding general ledger          \xe2\x80\xa2   1 592 reconciliation\n                                                                        accounts within DCPS;                     did not contain a\n                                                                                                                  signed report of\n                                                                    \xe2\x80\xa2   each 592 Reconciliation is                withholdings.\n                                                                        approved by management prior to\n                                                                                                              DFAS Cleveland:\n                                                                        disbursement; and\n                                                                                                              10 out of 45\n                                                                    \xe2\x80\xa2   reconciling items are investigated\n                                                                                                              reconciliations did not\n                                                                        and cleared on a timely basis by\n                                                                                                              contain a final\n                                                                        supervisory personnel prior to\n                                                                                                              disbursement\n                                                                        disbursement.\n                                                                                                              authorization.\n\n                                                                    [All payroll offices]\n\n\n                          7.15 - Summary payroll reports            Inquired with appropriate supervisor      DFAS Indianapolis:\n                          including OLQs of total                   and management personnel, obtained\n                                                                                                              592 Reconciliations\n                          disbursements, Retirement, TSP,           and inspected management summary\n                          Bonds, and other withholdings are         payroll reports or OLQs to confirm        DFAS personnel used the\n                          periodically reviewed by supervisory      the following:                            592 Balancing Desk Guide\n                          personnel for accuracy and ongoing                                                  however, a policy\n                          pertinence of the payroll master file         \xe2\x80\xa2    Payroll master files and\n                                                                                                              regarding document\n                          and withholding tables, and approved               withholding tables are\n                                                                                                              retention was not in place.\n                                                                             periodically reviewed by\n                                                          62\n\x0cNo.   Control Objective            Control Activities                       Tests Performed               Results of Testing\n\n                          by management prior to disbursement.            supervisory personnel for   Specifically, there was no\n                                                                          accuracy and ongoing        requirement to retain the\n                                                                          pertinence; and             printed and reviewed\n                                                                                                      report checklist or the\n                                                                     \xe2\x80\xa2    Reports are approved by     signed Report of\n                                                                          management prior to         Withholdings.\n                                                                          disbursement.\n                                                                                                      Management Summary\n                                                                                                      Reports\n                                                                 [All payroll offices]\n                                                                                                      The management summary\n                                                                                                      reports for the audit period\n                                                                                                      were not available;\n                                                                                                      therefore, no tests were\n                                                                                                      performed.\n\n                                                                                                      DFAS was unable to\n                                                                                                      provide the Separation\n                                                                                                      Actions without\n                                                                                                      Separations Codes Desk\n                                                                                                      Guide.\n\n                                                                                                      The Less than $1 Over\n                                                                                                      $5,000 Desk Guide did not\n                                                                                                      have an increased\n                                                                                                      threshold amount of\n                                                                                                      $10,000 in the review\n                                                                                                      procedures.\n                                                                                                      DFAS Cleveland:\n                                                                                                      592 Reconciliations\n                                                                                                      DFAS personnel used the\n                                                                                                      592 Balancing Desk\n                                                                                                      Guide; however, a policy\n                                                                                                      regarding document\n\n                                                        63\n\x0cNo.   Control Objective   Control Activities        Tests Performed       Results of Testing\n\n                                                                      retention was not in place.\n                                                                      Specifically, there was no\n                                                                      requirement to retain the\n                                                                      printed and reviewed\n                                                                      report checklist or the\n                                                                      signed Report of\n                                                                      Withholdings.\n\n                                                                      Management Summary\n                                                                      Reports\n\n                                                                      The management summary\n                                                                      reports for the audit period\n                                                                      were not available;\n                                                                      therefore, no tests were\n                                                                      performed.\n\n                                                                      DFAS was unable to\n                                                                      provide the Desk Guides\n                                                                      for the following critical\n                                                                      reports:\n\n                                                                      \xe2\x80\xa2   Separation Action\n                                                                          without Separation\n                                                                          Codes Desk Guide,\n                                                                      \xe2\x80\xa2   Dual SSN/Mongoose\n                                                                          Desk Guide, and\n                                                                      \xe2\x80\xa2   P6702R01 - Invalid\n                                                                          SSN/Deceased\n                                                                          Employees/Negative\n                                                                          Year-To-Date Desk\n                                                                          Guide.\n\n\n\n\n                                               64\n\x0cNo.   Control Objective            Control Activities                        Tests Performed                  Results of Testing\n\n\n                          7.16 - Policies and procedures are      Inquired with appropriate personnel     DFAS Indianapolis:\n                          documented to describe that disbursed   and inspected policies and procedures\n                                                                                                          592 Reconciliations\n                          payroll (including compensation and     to confirm controls are in place to\n                          withholding) is accurately calculated   monitor that disbursed payroll is       DFAS personnel used the\n                          and recorded.                           accurately calculated and recorded.     592 Balancing Desk\n                                                                                                          Guide; however, a policy\n                                                                                                          regarding document\n                                                                  [All payroll offices]                   retention was not in place.\n                                                                                                          Specifically, there was no\n                                                                                                          requirement to retain the\n                                                                                                          printed and reviewed\n                                                                                                          report checklist or the\n                                                                                                          signed Report of\n                                                                                                          Withholdings.\n\n                                                                                                          Management Summary\n                                                                                                          Reports\n\n                                                                                                          The management summary\n                                                                                                          reports for the audit period\n                                                                                                          were not available;\n                                                                                                          therefore, no tests were\n                                                                                                          performed.\n\n                                                                                                          DFAS was unable to\n                                                                                                          provide the Separation\n                                                                                                          Actions without\n                                                                                                          Separations Codes Desk\n                                                                                                          Guide.\n\n                                                                                                          The Less than $1 Over\n                                                                                                          $5,000 Desk Guide did not\n                                                                                                          include an increased\n                                                                                                          threshold amount of\n                                                                                                          $10,000 within its review\n\n                                                        65\n\x0cNo.   Control Objective   Control Activities        Tests Performed       Results of Testing\n\n                                                                      procedures.\n                                                                      DFAS Cleveland:\n                                                                      592 Reconciliations\n                                                                      DFAS personnel used the\n                                                                      592 Balancing Desk\n                                                                      Guide; however, a policy\n                                                                      regarding document\n                                                                      retention was not in place.\n                                                                      Specifically, there was no\n                                                                      requirement to retain the\n                                                                      printed and reviewed\n                                                                      report checklist or the\n                                                                      signed Report of\n                                                                      Withholdings.\n\n                                                                      Management Summary\n                                                                      Reports\n\n                                                                      The management summary\n                                                                      reports for the audit period\n                                                                      were not available;\n                                                                      therefore, no tests were\n                                                                      performed.\n\n                                                                      DFAS was unable to\n                                                                      provide the Desk Guides\n                                                                      for the following critical\n                                                                      reports:\n\n                                                                      \xe2\x80\xa2   Separation Action\n                                                                          without Separation\n                                                                          Codes Desk Guide,\n                                                                      \xe2\x80\xa2   Dual SSN/Mongoose\n                                                                          Desk Guide, and\n                                               66\n\x0cNo.   Control Objective            Control Activities                    Tests Performed                 Results of Testing\n\n\n                                                                                                     \xe2\x80\xa2   P6702R01 - Invalid\n                                                                                                         SSN/Deceased\n                                                                                                         Employees/Negative\n                                                                                                         Year-To-Date Desk\n                                                                                                         Guide.\n                          7.17 - DCPS performs limit and      Inquired with appropriate personnel    DFAS Indianapolis:\n                          reasonableness checks on employee   and inspected a limit and\n                                                                                                     Management Summary\n                          earnings.                           reasonableness management summary\n                                                                                                     Reports\n                                                              report to confirm the required limit\n                                                              and reasonableness checks are\n                                                                                                     The management summary\n                                                              performed on employee earnings.\n                                                                                                     reports for the audit period\n                                                                                                     were not available;\n                                                              [All payroll offices]                  therefore, no tests were\n                                                                                                     performed.\n\n                                                                                                     DFAS was unable to\n                                                                                                     provide the Separation\n                                                                                                     Actions without\n                                                                                                     Separations Codes Desk\n                                                                                                     Guide.\n\n                                                                                                     The Less than $1 Over\n                                                                                                     $5,000 Desk Guide did not\n                                                                                                     have an increased\n                                                                                                     threshold amount of\n                                                                                                     $10,000 in the review\n                                                                                                     procedures.\n\n                                                                                                     DFAS Cleveland:\n                                                                                                     Management Summary\n                                                                                                     Reports\n\n                                                                                                     The management summary\n\n                                                        67\n\x0cNo.   Control Objective   Control Activities        Tests Performed       Results of Testing\n\n                                                                      reports for the audit period\n                                                                      were not available;\n                                                                      therefore, no tests were\n                                                                      performed.\n\n\n                                                                      DFAS was unable to\n                                                                      provide the Desk Guides\n                                                                      for the following critical\n                                                                      reports:\n\n                                                                      \xe2\x80\xa2   Separation Action\n                                                                          without Separation\n                                                                          Codes Desk Guide,\n                                                                      \xe2\x80\xa2   Dual SSN/Mongoose\n                                                                          Desk Guide, and\n                                                                      \xe2\x80\xa2   P6702R01 - Invalid\n                                                                          SSN/Deceased\n                                                                          Employees/Negative\n                                                                          Year-To-Date Desk\n                                                                          Guide.\n\n\n\n\n                                               68\n\x0cNo.   Control Objective            Control Activities                        Tests Performed                    Results of Testing\n\n\n                          7.18 - Policies and procedures are      Inquired with appropriate personnel       No relevant exceptions\n                          documented to describe that only        and inspected policies and procedures     noted.\n                          valid, authorized employees are paid    to confirm that only valid, authorized\n                          and that payroll is disbursed to        employees are paid and that payroll is\n                          appropriate employees.                  disbursed to appropriate employees.\n\n                                                                  [All payroll offices]\n\n\n                          7.19 - Supervisory personnel            Inquired with appropriate personnel       DFAS Indianapolis:\n                          periodically review listings, such as   and inspected the Personnel/Payroll\n                                                                                                            No policy was in place that\n                          the Personnel/Payroll Reconciliation    Reconciliation Report to confirm it\n                                                                                                            required review\n                          Report, of current employees within     was sent to management for review of\n                                                                                                            annotations and document\n                          each user organization and notify the   employee listings and notification.\n                                                                                                            retention for the\n                          corresponding user organization\xe2\x80\x99s\n                                                                  Obtained and inspected a sample of        personnel/payroll reports.\n                          personnel department of necessary\n                                                                  Personnel/Payroll Reconciliation\n                          changes.                                                                          DFAS was unable to\n                                                                  Reports, along with the corresponding\n                                                                                                            provide 4 of 45\n                                                                  supervisor document log, to confirm\n                                                                                                            Personnel/Payroll\n                                                                  that personnel or payroll items that\n                                                                                                            Reconciliation Report\n                                                                  require resolution are investigated and\n                                                                                                            reviews requested.\n                                                                  resolved by the appropriate Civilian\n                                                                  Pay personnel.                            We noted 8 of 41 reports\n                                                                                                            did not include notification\n                                                                                                            sent to the user agency\n                                                                  [All payroll offices]\n                                                                                                            with the necessary\n                                                                                                            changes.\n                                                                                                            DFAS Cleveland:\n                                                                                                            No Personnel/Payroll\n                                                                                                            Reconciliations were\n                                                                                                            prepared during the testing\n                                                                                                            period.\n                                                                                                            No policy was in place that\n                                                                                                            required review\n                                                         69\n\x0cNo.   Control Objective             Control Activities                        Tests Performed                   Results of Testing\n\n                                                                                                            annotations and document\n                                                                                                            retention for the\n                                                                                                            Personnel/Payroll Reports.\n\n\n                          7.20 - Only authorized personnel have    Inquired with the appropriate            DFAS Saufley Field:\n                          the ability to disburse payroll.         personnel and inspected the policies\n                                                                                                            1 of 66 SAARs tested\n                                                                   and procedures regarding the\n                                                                                                            included a justification for\n                                                                   disbursement of payroll, and inspected\n                                                                                                            access that did not include\n                                                                   a sample of DCPS user profiles to\n                                                                                                            the responsibility to\n                                                                   confirm that only authorized\n                                                                                                            disburse payroll.\n                                                                   personnel have the ability to disburse\n                                                                   payroll.\n\n\n                                                                   [DFAS Saufley Field]\n\n\n                          7.21 - Policies and procedures are       Inquired with appropriate personnel      DFAS Indianapolis:\n                          documented to describe that controls     and inspected policies and procedures\n                                                                                                            592 Reconciliations\n                          provide reasonable assurance of the      to confirm that the 592\n                          integrity and reliability of DCPS data   Reconciliations are used by payroll      DFAS personnel used the\n                          for financial reporting purposes.        office personnel to provide assurance    592 Balancing Desk\n                                                                   of the integrity and reliability of      Guide; however, a policy\n                                                                   DCPS data for financial reporting        regarding document\n                                                                   purposes.                                retention was not in place.\n                                                                                                            Specifically, there was no\n                                                                                                            requirement to retain the\n                                                                   [All payroll offices]                    printed and reviewed\n                                                                                                            report checklist, or the\n                                                                                                            signed Report of\n                                                                                                            Withholdings.\n\n\n\n\n                                                          70\n\x0cNo.   Control Objective             Control Activities                        Tests Performed                    Results of Testing\n\n\n                                                                                                             DFAS Cleveland:\n                                                                                                             592 Reconciliations\n                                                                                                             DFAS personnel used the\n                                                                                                             592 Balancing Desk\n                                                                                                             Guide; however, a policy\n                                                                                                             regarding document\n                                                                                                             retention was not in place.\n                                                                                                             Specifically, there was no\n                                                                                                             requirement to retain the\n                                                                                                             printed and reviewed\n                                                                                                             report checklist or the\n                                                                                                             signed Report of\n                                                                                                             Withholdings.\n                          7.22 - Payroll transactions at the end   Inquired with appropriate personnel       DFAS Indianapolis:\n                          of a payroll cycle are reconciled by     and inspected a random sample of 592\n                                                                                                             DFAS was unable to\n                          supervisory personnel to ensure          Reconciliations at the end of a payroll\n                                                                                                             provide 8 of 45 samples\n                          complete and consistent recording in     cycle to confirm they were reconciled\n                                                                                                             documenting final\n                          the appropriate accounting period.       in order to confirm complete and\n                                                                                                             disbursement\n                                                                   consistent recording in the appropriate\n                                                                                                             authorization.\n                                                                   accounting period.\n                                                                                                             DFAS Cleveland:\n                                                                   [All payroll offices]\n                                                                                                             10 of 45 reconciliations\n                                                                                                             were missing\n                                                                                                             documentation of a final\n                                                                                                             disbursement\n                                                                                                             authorization.\n                                                                   Inquired with appropriate personnel\n                          7.23 - Error reports, such as the                                                  DFAS Indianapolis:\n                                                                   and inspected a sample of Personnel\n                          Personnel Interface Invalid Report,\n                                                                   Interface Invalid Reports to confirm\n                          and error warnings show rejected                                                   DFAS was unable to\n                                                                   the following:\n                          transactions with error messages that                                              provide 12 of 45 PIIRs.\n                          have clear, understandable corrective\n                                                                       \xe2\x80\xa2    The reports show rejected\n                          actions for each type of error.\n                                                                            transactions with error\n                                                          71\n\x0cNo.   Control Objective             Control Activities                         Tests Performed                       Results of Testing\n\n                                                                             messages that have clear,         For the remaining 33\n                          Rejected data are automatically\n                                                                             understandable corrective         PIIRs:\n                          written to the Personnel Interface\n                                                                             actions for each type of error.\n                          Invalid Report and held until corrected\n                          by payroll technicians. Each                  \xe2\x80\xa2    The rejected data are                 \xe2\x80\xa2 3 PIIRs did not include\n                          erroneous transaction is annotated                 automatically written on an             annotations using the\n                          with codes indicating the type of data             automated error suspense file           proper standard codes.\n                          error, date and time the transaction               and held until corrected by\n                          was processed and the error identified,            payroll technicians. Each             \xe2\x80\xa2 2 PIIRs did not include\n                          and the identity of the user who                   erroneous transaction is                the dates the payroll\n                          originated the transaction.                        annotated with codes                    technician addressed\n                                                                             indicating the type of data             the errors.\n                          Users review the Personnel Interface               error, date and time the\n                          Invalid Reports for data accuracy,                 transaction was processed,        DFAS Cleveland:\n                          validity, and completeness.                        the error identified, and the\n                          A control group is responsible for                 identity of the user who          DFAS was unable to\n                          controlling and monitoring rejected                originated the transaction.       provide 16 of 45 PIIRs\n                          transactions included on the Personnel        \xe2\x80\xa2    Users review output for data      requested.\n                          Interface Invalid Report.                          accuracy, validity, and\n                                                                             completeness.                     Of the 29 PIIR reports\n                                                                                                               provided:\n                                                                        \xe2\x80\xa2    The report is used for\n                                                                             controlling and monitoring\n                                                                             rejected transactions.            \xe2\x80\xa2     1 PIIR was missing\n                                                                                                                     the payroll\n                                                                                                                     technician\xe2\x80\x99s signature.\n                                                                    [All payroll offices]\n                                                                                                               \xe2\x80\xa2     1 PIIR did not include\n                                                                                                                     the dates the payroll\n                                                                                                                     technician addressed\n                                                                                                                     the errors.\n                          7.24 - Policies and procedures are        Inquired with appropriate personnel        DFAS Indianapolis:\n                          documented to describe that               and inspected policies and procedures\n                                                                                                               Management Summary\n                          capabilities exist for fiscal year-end,   to confirm that capabilities exist for\n                                                                                                               Reports\n                          leave year-end, and calendar year-end     fiscal year-end, leave year-end, and\n                          processing and forfeitures in             calendar year-end processing and\n                                                                                                               No policy was in place that\n                          accordance with established               forfeitures in accordance with\n                                                          72\n\x0cNo.   Control Objective           Control Activities                   Tests Performed                  Results of Testing\n\n                          Government-wide and agency        established Government-wide and         required a complete and\n                          guidelines.                       agency guidelines. Obtained and         accurate listing of\n                                                            inspected Payroll Quality Review        management summary\n                                                            reports to confirm checklists are       reports generated and\n                                                            followed, and payroll steps have been   reviewed by Civilian Pay\n                                                            performed.                              Processing Personnel.\n\n                                                                                                    DFAS was unable to\n                                                            [All payroll offices]\n                                                                                                    provide the Separation\n                                                                                                    Actions without\n                                                                                                    Separations Codes Desk\n                                                                                                    Guide.\n\n                                                                                                    The Less than $1 Over\n                                                                                                    $5,000 Desk Guide did not\n                                                                                                    have an increased\n                                                                                                    threshold amount of\n                                                                                                    $10,000 in the review\n                                                                                                    procedures.\n                                                                                                    DFAS Cleveland:\n                                                                                                    Management Summary\n                                                                                                    Reports\n\n                                                                                                    No policy was in place that\n                                                                                                    required a complete and\n                                                                                                    accurate listing of\n                                                                                                    management summary\n                                                                                                    reports generated and\n                                                                                                    reviewed by Civilian Pay\n                                                                                                    Processing personnel.\n\n                                                                                                    DFAS was unable to\n                                                                                                    provide the Desk Guides\n                                                                                                    for the following critical\n                                                                                                    reports:\n                                                       73\n\x0cNo.   Control Objective   Control Activities        Tests Performed       Results of Testing\n\n\n\n                                                                      \xe2\x80\xa2   Separation Action\n                                                                          without Separation\n                                                                          Codes Desk Guide,\n                                                                      \xe2\x80\xa2   Dual SSN/Mongoose\n                                                                          Desk Guide, and\n                                                                      \xe2\x80\xa2   P6702R01 - Invalid\n                                                                          SSN/Deceased\n                                                                          Employees/Negative\n                                                                          Year-To-Date Desk\n                                                                          Guide.\n\n\n\n\n                                               74\n\x0cNo.   Control Objective             Control Activities                         Tests Performed                    Results of Testing\n\n\n                          7.25 - Payroll withholding table data      Inspected a sample of payroll            No relevant exceptions\n                          is periodically reviewed by                withholding table data updates to        noted.\n                          supervisory personnel for compliance       confirm that they are periodically\n                          with statutory requirements.               updated by supervisory personnel for\n                                                                     compliance with statutory\n                                                                     requirements.\n\n                                                                     [DFAS Saufley Field]\n\n\n\n                                                                                                              DFAS Saufley Field:\n                          7.26 - The data processing control         Inquired with appropriate personnel\n                          group has a schedule by application        and inspected the schedules used by      DFAS was unable to\n                          that shows when outputs should be          the data processing group to confirm     provide operator jobs logs\n                          completed, when they need to be            that they:                               for 3 of the 18 randomly\n                          distributed, who the recipients are, and                                            selected dates.\n                          the copies needed. The data                \xe2\x80\xa2   had a schedule by application that\n                          processing control group reviews               shows when outputs need to be\n                          output products for general                    completed, when they need to be\n                          acceptability; and reconciles control          distributed, who the recipients\n                          information to determine                       are, and the copies needed;\n                          completeness of processing.                \xe2\x80\xa2   reviewed output products for\n                                                                         general acceptability; and\n                                                                     \xe2\x80\xa2   reconciled control information to\n                                                                         determine completeness of\n                                                                         processing.\n\n                                                                         [DFAS Saufley Field]\n\n\n                          7.27 - Policies and procedures are         Inquired with appropriate personnel      DFAS Indianapolis:\n                          documented to describe that current-       and inspected policies and procedures\n                                                                                                              Management Summary\n                          or prior-period adjustments to             to confirm that current- or prior-\n                                                                                                              Reports\n                          employee\xe2\x80\x99s pay; including employee         period adjustments to each\n                          debt, tax deduction, or deductions not     employee\xe2\x80\x99s pay; including employee\n                                                          75\n\x0cNo.   Control Objective             Control Activities                      Tests Performed                   Results of Testing\n\n                          taken; are reported, reconciled, and   debt, tax deduction, or deductions not   No policy was in place that\n                          approved.                              taken; are reported, reconciled and      required a complete and\n                                                                 approved.                                accurate listing of\n                                                                                                          management summary\n                                                                 [All payroll offices]                    reports generated and\n                                                                                                          reviewed by Civilian Pay\n                                                                                                          Processing Personnel.\n\n                                                                                                          DFAS was unable to\n                                                                                                          provide the Separation\n                                                                                                          Actions without\n                                                                                                          Separations Codes Desk\n                                                                                                          Guide.\n\n                                                                                                          The Less than $1 Over\n                                                                                                          $5,000 Desk Guide did not\n                                                                                                          have an increased\n                                                                                                          threshold amount of\n                                                                                                          $10,000 in the review\n                                                                                                          procedures.\n                                                                                                          DFAS Cleveland:\n                                                                                                          Management Summary\n                                                                                                          Reports\n\n                                                                                                          No policy was in place that\n                                                                                                          required a complete and\n                                                                                                          accurate listing of\n                                                                                                          management summary\n                                                                                                          reports generated and\n                                                                                                          reviewed by Civilian Pay\n                                                                                                          Processing Personnel.\n\n                                                                                                          DFAS was unable to\n                                                                                                          provide the Desk Guides\n                                                                                                          for the following critical\n                                                          76\n\x0cNo.   Control Objective   Control Activities        Tests Performed       Results of Testing\n\n                                                                      reports:\n\n                                                                      \xe2\x80\xa2   Separation Action\n                                                                          without Separation\n                                                                          Codes Desk Guide,\n                                                                      \xe2\x80\xa2   Dual SSN/Mongoose\n                                                                          Desk Guide, and\n                                                                      \xe2\x80\xa2   P6702R01 - Invalid\n                                                                          SSN/Deceased\n                                                                          Employees/Negative\n                                                                          Year-To-Date Desk\n                                                                          Guide.\n\n\n\n\n                                               77\n\x0c    No.        Control Objective                  Control Activities                        Tests Performed                    Results of Testing\n\n\n8         Data From Interfacing Systems\n\n\n8         Controls provide reasonable   8.1 - Policies and procedures are         Inquired with appropriate personnel       No relevant exceptions\n             assurance that data from   documented to describe that data          and inspected policies and procedures     noted.\n             interfacing systems are    transmissions between DCPS and user       to confirm that data transmissions\n             transferred timely and     organizations are authorized,             between DCPS and user organizations\n             accurately.                complete, accurate, and secure.           are authorized, complete, accurate,\n                                                                                  and secure.\n\n                                                                                  [DFAS Saufley Field]\n\n                                        8.2 - For interfacing systems, record     Inquired with appropriate personnel       No relevant exceptions\n                                        counts are accumulated and compared       and inspected interface files to          noted.\n                                        to footer control totals to help          confirm that record counts match\n                                        determine the completeness of             control totals in the footer to\n                                        interface processing. Out-of-balance      determine completeness of interface\n                                        conditions are reported, corrected, and   processing and out-of-balance\n                                        reentered.                                conditions are reported, corrected, and\n                                                                                  reentered.\n\n\n                                                                                  [DFAS Saufley Field]\n\n\n                                        8.3 - Batch transactions without pre-     Inspected a batch transactions report     No relevant exceptions\n                                        assigned serial numbers are               to confirm that transactions without      noted.\n                                        automatically assigned a unique           pre-assigned serial numbers are\n                                        sequence number, which is used by         automatically assigned a unique\n                                        the computer to monitor that all          sequence number.\n                                        transactions are processed.\n                                                                                  [DFAS Saufley Field]\n\n\n\n                                                                        78\n\x0cGeneral Computer Control Objectives, Control Activities, Tests Performed, and Results of Testing\n\n\n   No.         Control Objectives                 Control Activities                        Tests Performed                  Results of Testing\n\n\n\n    1      Security Programs Effectiveness Monitoring\n\n           Controls provide reasonable   1.1.1 DISA DECC-MECH and                DISA DECC-MECH and DFAS Saufley           No relevant exceptions\n   1.1\n           assurance that the security   DFAS Saufley Field                      Field                                     noted.\n           program effectiveness is\n                                         DoD and DFAS policy both direct         Inquired with the security officer to\n           monitored and changes are\n                                         that an annual Information Assurance    obtain an understanding of how\n           made as needed.\n                                         (IA) review be performed.               management assessed the appropriateness\n                                                                                 of the security policies and compliance\n                                                                                 with them.\n\n\n           Management monitors           1.2.1 DISA DECC-MECH                    DISA DECC-MECH                            No relevant exceptions\n   1.2\n           compliance with policies                                                                                        noted.\n                                         The Director\xe2\x80\x99s Policy Letters and       Inspected the DCPS Security\n           and procedures.\n                                         SOP are reviewed and updated.           Requirements and Information Systems\n                                         Security Readiness Reviews (SRRs)       Security Policy Certification Test and\n                                         are conducted at least every 3 years.   Evaluation Plan and Procedures to\n                                                                                 confirm that an annual IA review was\n                                                                                 conducted and that a comprehensive\n                                                                                 vulnerability management process was in\n                                                                                 place.\n\n\n\n\n                                                                          79\n\x0cNo.       Control Objectives              Control Activities                         Tests Performed                   Results of Testing\n\n\n\n      Corrective actions are     1.3.1 DISA DECC-MECH                    DISA DECC-MECH                              DISA DECC-MECH\n1.3\n      effectively implemented.                                                                                       and DFAS Saufley\n                                 The Vulnerability Management            Inspected the SRR process to confirm that\n                                                                                                                     Field:\n                                 System (VMS) 6.0 is used to track       corrective actions are effectively\n                                 the status of outstanding Information   implemented for identified SRR findings.    The prior year finding\n                                 Assurance Vulnerability Alerts                                                      regarding payroll data\n                                                                         Selected a sample of SRRs and inspected\n                                 (IAVAs) and the status of STIG                                                      transmitted through the\n                                                                         the VMS reports to confirm that findings\n                                 findings from the SRR process.                                                      NIPRNET unencrypted\n                                                                         identified by the SRR process have been\n                                 DISA DECC-MECH management is                                                        has not been resolved.\n                                                                         addressed.\n                                 responsible for tracking and closing\n                                 all IAVAs and STIG findings that        Requested prior audit reports or reviews\n                                 resulted from the SRR process.          and confirmed that remediation had\n                                                                         occurred for the findings and\n                                                                         recommendations.\n                                 1.3.2 DFAS Saufley Field\n                                 Remediation plans detail corrective\n                                 actions in response to findings         DFAS Saufley Field\n                                 identified in audits of DCPS or\n                                 DFAS. Management has approved           Requested prior audit reports and\n                                                                         confirmed that remediation has occurred\n                                 the remediation plan and monitors\n                                 progress of the plan.                   for the findings and recommendations.\n                                                                         Requested remediation plans intended to\n                                                                         address previous findings to confirm that\n                                                                         remediation had been initiated.\n\n\n\n\n                                                                  80\n\x0cNo.      Control Objectives             Control Activities                   Tests Performed                    Results of Testing\n\n\n\n2     Risk Assessment\n\n      Risk assessments are      2.1.1 DISA DECC-MECH and          DISA DECC-MECH                              No relevant exceptions\n2.1\n      performed according to    DFAS Saufley Field                                                            noted.\n                                                                  Inquired with the Information System\n      current Federal and DoD\n                                DoD and DFAS policy both direct   Security Officer (ISSO) and related\n      requirements.\n                                that an annual IA review be       security personnel and inquired how often\n                                conducted.                        the risk assessment process occurs.\n                                                                  Inspected the SRR process and confirmed\n                                                                  how often it occurs and verified that\n                                                                  deficiencies and corrective actions are\n                                                                  tracked.\n                                                                  Selected a sample of SRRs performed and\n                                                                  inspected the VMS reports to confirm that\n                                                                  findings identified by the SRR process\n                                                                  have been addressed.\n                                                                  DFAS Saufley Field\n                                                                  Inquired with the ISSO and related\n                                                                  security personnel and inquired how often\n                                                                  the risk assessment process occurs.\n                                                                  Inspected the last Risk Assessment,\n                                                                  which should be included with the SSAA\n                                                                  to confirm that risks are periodically\n                                                                  assessed.\n\n\n\n\n                                                             81\n\x0cNo.      Control Objectives               Control Activities                      Tests Performed                    Results of Testing\n\n\n\n3     Site Security Plans\n\n      Site security plans are     3.1.1 DFAS Saufley Field            DFAS Saufley Field                           No relevant exceptions\n3.1\n      documented, approved, and                                                                                    noted.\n                                  DoD and DFAS policy both direct     Inspected the DCPS SSAA to confirm\n      are current.\n                                  that an annual IA review be         that it has been documented, kept current,\n                                  conducted. Review appropriate       and appropriately approved by\n                                  generated documentation to ensure   management.\n                                  that these processes are\n                                                                      Inspected DCPS Systems Security Policy,\n                                  accomplished.\n                                                                      Security Requirements, and Certification\n                                                                      Test and Evaluation Plan and Procedures\n                                                                      to confirm that each has been updated.\n\n4     Security Management Structure\n\n      A security management       4.1.1 DFAS Saufley Field            DFAS Saufley Field                           No relevant exceptions\n4.1\n      structure has been                                                                                           noted.\n                                  The DCPS SSAA describes the IA      Confirmed through inquiry that a\n      established with DCPS.\n                                  operations of the DoD information   management structure had been\n                                  system and clearly delineates IA    established.\n                                  responsibilities and expected\n                                                                      Obtained and inspected the security\n                                  behavior of all personnel.\n                                                                      management organization chart.\n                                                                      Requested one position description for\n                                                                      each function listed on the organization\n                                                                      chart to confirm that positions were\n                                                                      established in writing.\n                                                                      Inspected the SSAA for the security\n                                                                      management structure. Confirmed that\n                                                                      each position function is outlined in the\n                                                                      SSAA.\n\n\n\n                                                                 82\n\x0cNo.       Control Objectives                 Control Activities                        Tests Performed                    Results of Testing\n\n\n\n      Information security           4.2.1 DISA DECC-MECH and              DISA DECC-MECH                               No relevant exceptions\n4.2\n      responsibilities are clearly   DFAS Saufley Field                                                                 noted.\n                                                                           Inspected signed rules of behavior\n      assigned.\n                                     The DISA DECC-MECH SSAA and           statements for the DISA personnel with\n                                     the DCPS SSAA both describe the       access to DCPS and the underlying\n                                     IA operations of the DoD              operating system.\n                                     information system and clearly\n                                     delineate IA responsibilities and\n                                     expected behavior of all personnel.\n\n\n\n\n                                                                           DFAS Saufley Field\n                                                                           Inspected the SSAA for security\n                                                                           management responsibilities. Confirmed\n                                                                           that each position outlined in the SSAA is\n                                                                           filled by personnel and those personnel\n                                                                           understand their duties.\n                                                                           Inspected signed rules of behavior\n                                                                           statements for DFAS personnel with\n                                                                           access to DCPS.\n\n\n\n\n                                                                    83\n\x0cNo.       Control Objectives                   Control Activities                           Tests Performed                    Results of Testing\n\n\n                                      4.3.2 DFAS Saufley Field\n      Employees are aware of                                                    DFAS Saufley Field                           The Information\n4.3\n      security policies.                                                                                                     Assurance Manager and\n                                      Ongoing security awareness                Inspected the Security Awareness\n                                                                                                                             Information Assurance\n                                      programs are in place that include        Training materials.\n                                                                                                                             Officer (IAM/IAO) did\n                                      initial training and periodic refresher\n                                                                                Obtained a list of employees who have        not receive IAM/IAO\n                                      training.\n                                                                                access to DCPS. Selected a sample of         certifications.\n                                                                                employees who have DCPS access and\n                                                                                inspected their training files to confirm\n                                                                                the completion of the necessary security\n                                                                                training (and the required certifications)\n                                                                                and that they are signed.\n                                                                                Obtained evidence that management has\n                                                                                active security awareness programs in\n                                                                                place (for example, electronic mail files,\n                                                                                or other policy distribution mechanisms)\n                                                                                that proactively emphasize the security\n                                                                                policies to data owners and users.\n\n\n      A comprehensive                 4.4.1 DISA DECC-MECH                      DISA DECC-MECH                               No relevant exceptions\n4.4\n      vulnerability management                                                                                               noted.\n                                      Vulnerabilities are tracked in the        Obtained the VMS reports for the audit\n      process that includes the\n                                      VMS database. Prior to connection         period for DCPS and confirmed\n      systematic identification and\n                                      to the network, the system                vulnerabilities are being tracked and\n      mitigation of software and\n                                      administrator must generate a VC06        resolved in a timely manner.\n      hardware vulnerabilities is\n                                      report detailing Information\n      in place.\n                                      Assurance Vulnerability\n                                      Management (IAVM) notices for the\n                                      asset\xe2\x80\x99s operating system. All IAVM\n                                      notices must be mitigated, and\n                                      applicable patches must be loaded\n                                      prior to connecting the asset to the\n                                      network. Once all checklists have\n                                      been applied from the STIG and the\n                                      patches from the vulnerability alerts\n\n                                                                         84\n\x0cNo.   Control Objectives            Control Activities              Tests Performed   Results of Testing\n\n\n                           have been installed, a self-assessment\n                           and a Retina network scan is\n                           conducted. Security assessments that\n                           require a scan use the Retina scanner\n                           and the FSO Full Scan Policy. The\n                           scan is conducted using a direct\n                           connection from the system running\n                           the scanner to the system being\n                           assessed or the site is authorized to\n                           connect the asset to an isolated\n                           network during the Retina scan.\n                           Each site then places their self-\n                           assessment in the VMS database. If\n                           the systems have a database, web\n                           server, or any other software that has\n                           a STIG, they must put those self-\n                           assessments in VMS as well. The\n                           network scan must be generated with\n                           all database instances and all web\n                           servers running.\n\n\n\n\n                                                            85\n\x0cNo.       Control Objectives                   Control Activities                           Tests Performed                      Results of Testing\n\n\n\n5     Personnel Policies\n\n      Employee (Government or         DFAS Saufley Field                        DFAS Saufley Field                              No relevant exceptions\n5.1\n      contractor) background                                                                                                   noted.\n                                      The DCPS SSAA requires system             Requested, obtained, and inspected the\n      investigations, hiring,\n                                      users to be subjected to various levels   policies and procedures for gaining access\n      transferring, and termination\n                                      of Personnel Security Investigations      to sensitive information.\n      policies address security and\n                                      based on the level of access or\n      are in compliance with DoD                                                Obtained a listing of all personnel\n                                      privileges they have within the\n      Instruction 8500.2.                                                       associated with DCPS. Selected a sample\n                                      systems. The higher the level of\n                                                                                of DCPS users and obtained SAAR forms\n                                      access, the more stringent the\n                                                                                for each. Confirmed that each SAAR\n                                      required investigation becomes. As a\n                                                                                details the user\xe2\x80\x99s justification for access,\n                                      minimum, all DFAS DCPS\n                                                                                security clearance level, and the proper\n                                      personnel/employees (military,\n                                                                                approvals.\n                                      civilian, or contractors) will have a\n                                      favorably completed the National\n                                      Agency Check.\n\n\n      Job descriptions for            5.2.1 DISA DECC-MECH and                  DISA DECC-MECH                                 No relevant exceptions\n5.2\n      Government employees            DFAS Saufley Field                                                                       noted.\n                                                                                Inspected the job descriptions for the\n      have been documented, and\n                                      Developed position descriptions for       applicable types of personnel.\n      employees understand their\n                                      distinct system support positions.\n      duties and responsibilities.\n                                                                                DFAS Saufley Field\n                                                                                Inspected the job descriptions for the\n                                                                                applicable types of personnel listed in\n                                                                                Control Objective # 5.1.\n\n\n\n\n                                                                        86\n\x0cNo.   Control Objectives            Control Activities                        Tests Performed                      Results of Testing\n\n\n\n                           5.2.2 DISA DECC-MECH and               DISA DECC-MECH                                 No relevant exceptions\n                           DFAS Saufley Field                                                                    noted.\n                                                                  Selected a sample of employees and\n                           Position descriptions are available    confirmed through inquiry that they\n                           and performance plans are provided     understood their duties and\n                           to assist employees in understanding   responsibilities.\n                           their roles and responsibilities\n                                                                  Inspected documentation to confirm that\n                           according to their assigned duties.\n                                                                  employees have signed position\n                                                                  descriptions.\n                                                                  DFAS Saufley Field\n                                                                  Selected a sample of employees and\n                                                                  confirmed through inquiry that they\n                                                                  understood their duties and\n                                                                  responsibilities.\n                                                                  Inspected documentation to confirm that\n                                                                  employees have signed their performance\n                                                                  plans.\n\n                           5.2.3 DFAS Saufley Field               DFAS Saufley Field                             No relevant exceptions\n                                                                                                                 noted.\n                           All DFAS personnel are required to     Inspected the hiring, transfer, termination,\n                           complete initial and periodic IA       and performance policies to confirm that\n                           training. This training helps the      they are documented and address\n                           employee understand the importance     security.\n                           of their roles and responsibilities.\n                                                                  Confirmed though inquiry that debriefs\n                                                                  are conducted when employees are\n                                                                  terminated and that a Human Resources\n                                                                  Checklist is used to note the collection of\n                                                                  DFAS property.\n                                                                  Confirmed through inspection that an e-\n                                                                  mail is sent to the system administrator to\n                                                                  request that system access be removed for\n                                                                  a terminated employee.\n\n                                                           87\n\x0cNo.       Control Objectives                Control Activities                        Tests Performed                   Results of Testing\n\n\n\n5.3   Employee (Government or      5.3.1 DISA DECC-MECH and               DISA DECC-MECH                              DFAS Saufley Field:\n      contractor) are adequately   DFAS Saufley Field\n                                                                          Confirmed through inquiry that a training   We noted that the IAM\n      trained and possess the\n                                   A program is implemented to ensure     program has been established.               and IAO did not receive\n      required skills.\n                                   that upon arrival (and periodically                                                IAM/IAO certifications.\n                                   thereafter), all personnel receive\n                                   training and familiarization to        Requested documentation to confirm the\n                                   perform their assigned IA duties, to   existence of this training program (for\n                                   include familiarization with their     example, individual training plans, job-\n                                   prescribed roles in all IA-related     specific training plans, and policy for\n                                   plans, such as incident response,      requirements of training).\n                                   configuration management, and\n                                   Continuity of Operations Plan\n                                   (COOP) or disaster recovery.           If training was conducted in-house,\n                                                                          inspected the training materials to\n                                                                          confirm that they provided personnel with\n                                                                          adequate training and expertise.\n\n\n                                                                          Selected a sample of employees who have\n                                                                          access to DCPS and inspected their\n                                                                          training records to confirm that specific\n                                                                          job function training is occurring.\n                                                                          DFAS Saufley Field\n                                                                          Confirmed through inquiry that a training\n                                                                          program has been established.\n                                                                          Requested documentation to confirm the\n                                                                          existence of this training program (for\n                                                                          example, individual training plans, job-\n                                                                          specific training plans, and policy for\n                                                                          requirements of training).\n\n\n\n\n                                                                   88\n\x0cNo.   Control Objectives   Control Activities                   Tests Performed                  Results of Testing\n\n\n\n                                                     If training was conducted in-house,\n                                                     inspected the training materials to\n                                                     confirm that they provided personnel with\n                                                     adequate training that is up to date.\n                                                     Selected a sample of employees who have\n                                                     access to DCPS and inspected their\n                                                     training records to confirm that job-\n                                                     specific training is occurring.\n\n\n\n\n                                                89\n\x0cNo.       Control Objectives                  Control Activities                         Tests Performed                    Results of Testing\n\n\n\n6     Information Resource Classification\n\n      Resource classifications and   6.1.1 DISA DECC-MECH                    DISA DECC-MECH                               No relevant exceptions\n6.1\n      related criteria have been                                                                                          noted.\n                                     DFAS management has classified          Inquired with management as to the\n      established.\n                                     DCPS according to appropriate           process for identifying and prioritizing\n                                     MAC-level standards and identified      critical data and operations.\n                                     DCPS in the Service-Level\n                                                                             Obtained documentation that supports\n                                     Agreement (SLA) between DISA and\n                                                                             this process and confirmed that it is\n                                     DFAS.\n                                                                             current and was approved by\n                                                                             management.\n                                     DFAS Saufley Field\n                                     DFAS management has classified          DFAS Saufley Field\n                                     DCPS according to appropriate\n                                                                             Inquired with management as to the\n                                     MAC-level standards and identified\n                                                                             process for identifying and prioritizing\n                                     DCPS in the SLA between DISA and\n                                                                             critical data and operations.\n                                     DFAS.\n                                                                             Obtained documentation that supports\n                                                                             this process and confirmed that it is\n                                                                             current and was approved by\n                                                                             management.\n\n\n                                     6.1.2 DISA DECC-MECH                    DISA DECC-MECH                               No relevant exceptions\n                                                                                                                          noted.\n                                     DFAS management has identified          Corroborated with key personnel that\n                                     DCPS resources supporting critical      identification of resources supporting\n                                     operations based on the nature and      critical operations is based on the nature\n                                     impact of the disaster. The resources   and impact of the disaster.\n                                     are included in the DISA DECC-\n                                                                             Obtained and inspected the business\n                                     MECH Business Continuity Plan as\n                                                                             continuity plan and confirmed that\n                                     prescribed in the SLA between DISA\n                                                                             supporting critical operations are\n                                     and DFAS.\n                                                                             identified, and emergency priorities are\n\n                                                                     90\n\x0cNo.       Control Objectives                  Control Activities                         Tests Performed                    Results of Testing\n\n\n                                                                             established and approved by\n                                                                             management.\n                                     DFAS Saufley Field\n                                     DFAS management has identified\n                                                                             DFAS Saufley Field\n                                     DCPS resources supporting critical\n                                     operations based on the nature and      Corroborated with key personnel that\n                                     impact of the disaster. The resources   identification of resources supporting\n                                     are included in the DISA DECC-          critical operations is based on the nature\n                                     MECH Business Continuity Plan as        and impact of the disaster.\n                                     prescribed in the SLA between DISA\n                                                                             Obtained and inspected the business\n                                     and DFAS.\n                                                                             continuity plan and confirmed that\n                                                                             supporting critical operations are\n                                                                             identified, and emergency priorities are\n                                                                             established and approved by\n                                                                             management.\n\n                                                                                                                          No relevant exceptions\n      DFAS has classified all        6.2.1 DFAS Saufley Field                DFAS Saufley Field\n                                                                                                                          noted.\n6.2   DFAS-owned assets\n                                     Management has classified DCPS          Inspected the DCPS SSAA and confirmed\n      according to criticality and\n                                     according to appropriate MAC-level      that a MAC level had been assigned to\n      sensitivity.\n                                     standards.                              DCPS.\n                                                                             Inquired with data owners and confirmed\n                                                                             that a MAC level has been assigned to\n                                                                             DCPS.\n                                                                             Inspected the DCPS SLA between DFAS\n                                                                             and DISA to determine the classification\n                                                                             of DCPS communicated to DISA.\n\n                                                                                                                          No relevant exceptions\n      Data management and the        6.3.1 DFAS Saufley Field                DFAS Saufley Field\n                                                                                                                          noted.\n6.3   disposition and sharing of\n                                     Documented policies and procedures      Inspected documents authorizing file\n      data requirements are\n                                     are in the DCPS SSAA that governs       sharing and file sharing agreements and\n      identified in the SLAs.\n                                     the sharing of data.                    confirmed that the owners approve the\n                                                                     91\n\x0cNo.       Control Objectives                  Control Activities                       Tests Performed                   Results of Testing\n\n\n                                                                           sharing of data. In many cases, these\n                                                                           documents are called a Memorandum of\n                                                                           Understanding or SLA.\n                                                                           Inspected the DCPS SSAA and confirmed\n                                                                           that a MAC level had been assigned to\n                                                                           DCPS.\n                                                                           Inquired with data owners and confirmed\n                                                                           that a MAC level has been assigned to\n                                                                           DCPS.\n                                                                           Inquired with data owners and confirmed\n                                                                           that a Memorandum of Understanding has\n                                                                           been developed and is in place for each\n                                                                           DCPS interface.\n\n                                                                                                                       No relevant exceptions\n      DCPS has logical controls      6.4.1 DFAS Saufley Field              DFAS Saufley Field\n6.4                                                                                                                    noted.\n      over data files and software\n                                     The SAAR is used to identify\n      programs.\n                                     authorized users and control their    Requested a complete DCPS user list.\n                                     access.                               Selected a random sample of users from\n                                                                           the list and inspected their user access\n                                                                           request forms for existence and approval\n                                                                           by management.\n                                                                           Inspected the application to confirm that\n                                                                           users must have possessed a valid User\n                                                                           ID and password to gain access to the\n                                                                           system.\n                                                                           Interviewed owners and inspected\n                                                                           supporting documentation to confirm that\n                                                                           inappropriate access is removed in a\n                                                                           timely manner.\n                                                                           Interviewed security managers and\n                                                                           confirmed that supporting documentation\n\n                                                                      92\n\x0cNo.   Control Objectives            Control Activities                         Tests Performed                    Results of Testing\n\n\n                                                                   was provided to them.\n                                                                   Obtained a representative sample of\n                                                                   profile changes and activity logs and\n                                                                   confirmed that management reviewed the\n                                                                   changes and logs.\n                                                                   Obtained a list of recently terminated\n                                                                   employees from the personnel office.\n                                                                   Selected a random sample of terminated\n                                                                   employees and confirmed that system\n                                                                   access was promptly terminated.\n\n                                                                                                                No relevant exceptions\n                           6.4.2 DISA DECC-MECH                    DISA DECC-MECH\n                                                                                                                noted.\n                           The DISA System Support Office, a       Confirmed through inquiry and inspection\n                           unit independent of DISA DECC-          of the root access users for the DCPS\n                           MECH operations, is responsible for     servers that access restrictions have been\n                           maintaining the system libraries;       established around the data files and\n                           however, DISA DECC-MECH                 software programs.\n                           performs the library installation.\n                                                                   Inspected the access logs and\n                           Access to system libraries is\n                                                                   corroborated with management that the\n                           restricted to authorized individuals,\n                                                                   access logs are reviewed for inappropriate\n                           including system programmers at the\n                                                                   access and that system libraries are\n                           DISA System Support Office and\n                                                                   managed and maintained to protect\n                           DISA DECC-MECH.\n                                                                   privileged programs.\n\n\n\n\n                                                            93\n\x0cNo.       Control Objectives                  Control Activities                        Tests Performed                    Results of Testing\n\n\n\n7     User Account Management\n\n                                                                                                                         No relevant exceptions\n      Authorized users and their     7.1.1 DISA DECC-MECH and               DISA DECC-MECH\n7.1                                                                                                                      noted.\n      access rights are identified   DFAS Saufley Field\n                                                                            Inspected the policies and procedures for\n      for DISA-/DFAS-owned\n                                     User accounts are suspended after 35   restricting access to the systems software\n      assets.\n                                     days of no activity (60 days for TSO   to confirm that they were up-to-date.\n      Access authorizations are      and payroll offices) and removed\n                                                                            Generated a list from the Discretionary\n      appropriately limited.         after 180 days of no activity.\n                                                                            Access Control database of individuals\n                                     Accounts are approved by IA\n                                                                            who had direct access to the system\n                                     officers.\n                                                                            software and selected a random sample of\n                                                                            users with direct access.\n                                                                            For each user selected, confirmed with\n                                                                            key management personnel that these\n                                                                            users were authorized to have this access.\n                                                                            Inquired with key management that\n                                                                            suspension and termination of access is\n                                                                            performed according to the policies and\n                                                                            procedures.\n                                                                            Interviewed owners and inspected\n                                                                            supporting documentation to confirm that\n                                                                            inappropriate access is removed in a\n                                                                            timely manner.\n                                                                            Obtained a list of recently terminated\n                                                                            employees from the personnel office.\n                                                                            Selected a random sample of terminated\n                                                                            employees and confirmed that system\n                                                                            access was promptly terminated.\n\n\n                                                                            DFAS Saufley Field\n                                                                            Inspected the policies and procedures for\n                                                                     94\n\x0cNo.       Control Objectives                   Control Activities                         Tests Performed                    Results of Testing\n\n\n                                                                              restricting access to the DCPS application\n                                                                              software to confirm that they were up-to-\n                                                                              date.\n                                                                              Generated a list from the Discretionary\n                                                                              Access Control database of individuals\n                                                                              who had direct access to the DCPS\n                                                                              application software and selected a\n                                                                              random sample of users with direct\n                                                                              access. For each user selected, confirmed\n                                                                              with key management personnel that\n                                                                              these users were authorized to have this\n                                                                              access.\n                                                                              Inquired with key management that\n                                                                              suspension and termination of access is\n                                                                              performed according to the policies and\n                                                                              procedures.\n                                                                              Interviewed owners and inspected\n                                                                              supporting documentation to confirm that\n                                                                              inappropriate access is removed in a\n                                                                              timely manner.\n                                                                              Obtained a list of recently terminated\n                                                                              employees from personnel office.\n                                                                              Selected a random sample of terminated\n                                                                              employees and confirmed that system\n                                                                              access was promptly terminated.\n\n\n      IAOs or SAs periodically        7.2.1 DISA DECC-MECH                    DISA DECC-MECH\n7.2                                                                                                                        No relevant exceptions\n      review authorization listings\n                                      Access to the system software is        Inquired with key personnel to determine     noted.\n      to determine\n                                      administered based on roles.            how root and/or privileged access is\n      appropriateness.\n                                                                              administered.\n      Policies and techniques\n                                                                              Obtained the list of individuals with root\n      have been implemented for\n                                                                              and or privileged access.\n                                                                         95\n\x0cNo.       Control Objectives             Control Activities                    Tests Performed                     Results of Testing\n\n\n      using and monitoring the\n                                                                   Inquired with management if root and\n      use of system utilities.\n                                                                   privileged access is appropriate and that\n                                                                   the use of these accounts is logged.\n                                                                   Inspected a random sample of the audit\n                                                                   logs from the DCPS servers to confirm\n                                                                   that personnel review the logs on a\n                                                                   regular basis and that any issues noted are\n                                                                   documented and researched.\n\n\n      Emergency and temporary    7.3.1 DISA DECC-MECH and          DISA DECC-MECH                                No relevant exceptions\n7.3\n      access is controlled.      DFAS Saufley Field                                                              noted.\n                                                                   Inspected the emergency and temporary\n                                 Emergency and temporary access    access policy.\n                                 authorization is controlled in\n                                                                   Selected a random sample of emergency\n                                 accordance with DoD 5200.1-R,\n                                                                   and temporary access and confirmed that:\n                                 DoD 5200.2-R, DoDD 8500.1, and\n                                 DoDI 8500.2. Accounts are             \xe2\x80\xa2    the authorization was approved\n                                 approved by the IA officers.               and that the access was closed in\n                                                                            a timely manner,\n                                                                       \xe2\x80\xa2    the emergency and temporary\n                                                                            access list is periodically\n                                                                            reviewed, and\n                                                                       \xe2\x80\xa2    temporary access authorizations\n                                                                            were established for least\n                                                                            privileged, need-to-know access.\n\n\n                                                                   DFAS Saufley Field\n                                                                   Inspected the emergency and temporary\n                                                                   access policy.\n                                                                   Selected a random sample of emergency\n                                                                   and temporary access and confirmed that:\n                                                              96\n\x0cNo.       Control Objectives                Control Activities                          Tests Performed                     Results of Testing\n\n\n\n                                                                                \xe2\x80\xa2    the authorization was approved\n                                                                                     and that the access was closed in\n                                                                                     a timely manner,\n                                                                                \xe2\x80\xa2    the emergency and temporary\n                                                                                     access list is periodically\n                                                                                     reviewed, and\n                                                                                \xe2\x80\xa2    temporary access authorizations\n                                                                                     were established for least\n                                                                                     privileged, need-to-know access.\n\n                                                                                                                          DFAS was unable to\n      Group authenticators for     7.4.1 DFAS Saufley Field                 DFAS Saufley Field\n7.4                                                                                                                       provide 3 of 18\n      application or network\n                                   Group authenticators are not used for    Confirmed through inquiry that group          randomly selected dates\n      access may be used only in\n                                   DCPS or network access. Upon             authenticators for the application and        for operator job logs\n      conjunction with an\n                                   initial system login, a user\xe2\x80\x99s actions   network are used. Inquired why group          requested.\n      individual authenticator\n                                   are tracked based on their unique        authenticators are used. Inquired if users\n                                   user account.                            are authenticated individually prior to the\n                                                                            use of a group authenticator. Confirmed\n                                                                            through observation that group\n                                                                            authentication is used by the operations\n                                                                            group; however, confirmed that operator\n                                                                            job logs are used to record the actions of\n                                                                            the operators, which use the group\n                                                                            authentication.\n\n\n\n\n                                                                    97\n\x0cNo.       Control Objectives                 Control Activities                          Tests Performed                      Results of Testing\n\n\n\n8     Physical Security\n\n                                                                                                                            No relevant exceptions\n      Building, administration,     DFAS Saufley Field                       DFAS Saufley Field\n8.2                                                                                                                         noted.\n      and computer facility\n                                    DFAS facilities at DFAS Saufley          Inquired with facility management as to\n      physical controls have been\n                                    Field have implemented adequate          the physical security controls in place.\n      implemented.\n                                    physical security controls in            Confirmed through observation that these\n                                    accordance with DODI 8500.2.             controls are in place. Obtained results of\n                                                                             the most recent facility penetration testing\n                                    Physical access points are guarded or\n                                                                             and confirmed that management reviewed\n                                    alarmed 24 hours a day.\n                                                                             the results of the test.\n                                    The Random Anti-Terrorism\n                                    Measures process is in place and it\n                                    includes periodic, unannounced\n                                    attempts to penetrate DFAS facilities.\n                                    Only authorized personnel with\n                                    appropriate access approval are\n                                    granted physical access.\n\n\n\n\n                                                                     98\n\x0cNo.       Control Objectives              Control Activities                           Tests Performed                 Results of Testing\n\n\n\n      Visitors are controlled.   8.3.2 DFAS Saufley Field                  DFAS Saufley Field                        The Administrator 6H\n8.3\n                                                                                                                     visitor policy did not\n                                 All visitors must sign in and out on      Inspected the visitor policies and\n                                                                                                                     include policies and\n                                 the Visitor Control Log located in the    procedures to confirm they are\n                                                                                                                     procedures for granting\n                                 main lobby.                               documented.\n                                                                                                                     access to visitors for an\n                                                                           Confirmed through inquiry that all        extended length of time.\n                                                                           visitors are controlled.\n                                 The DCPS SSAA requires all non-\n                                 cleared personnel to be escorted at all   Confirmed through inquiry and\n                                 times while inside the building.          observation that visitor access to DoD\n                                                                           information was determined by both its\n                                                                           classification and user need-to-know.\n\n\n\n\n                                                                           Obtained the visitor check-in log for a\n                                                                           random sample of normal business days.\n                                                                           Confirmed that the log has been\n                                                                           completed according to the visitor\n                                                                           policies and procedures.\n\n\n\n\n                                                                   99\n\x0cNo.       Control Objectives                  Control Activities                         Tests Performed                    Results of Testing\n\n\n\n9     Logical Access\n\n      Access settings have been      9.1.1 DISA DECC-MECH                   DISA DECC-MECH\n9.1                                                                                                                       No relevant exceptions\n      implemented in accordance\n                                     Access settings have been              Obtained a random sample of users with        noted.\n      with the access\n                                     implemented in accordance with the     access to DCPS Logical Partition (LPAR)\n      authorizations established\n                                     access authorizations established by   and obtained the SAAR for the sampled\n      by the resource owners.\n                                     signature authority of the resource    personnel. Confirmed that each SAAR\n                                     owner listed on the SAAR and in        details the user\xe2\x80\x99s justification for access\n                                     accordance with DoDD 8500.1,           and security clearance level, and that each\n                                     DoDI 8500.2, and STIGs.                SAAR is properly approved.\n\n\n                                     9.1.2 DFAS Saufley Field               DFAS Saufley Field\n                                     The TSO assigns security profiles to   Observed the DCPS system to confirm\n                                     each user ID based on need-to-know     that each user account was assigned a\n                                     as demonstrated by an approved         security profile that restricts access by\n                                     SAAR for system access. The DFAS       module or program.\n                                     Saufley Field database administrator\n                                     also assigns security profiles to      Requested a complete DCPS user list.\n                                     development users through the          Selected a random sample of users from\n                                     Integrated Database Management         the list and inspected the SAARs for the\n                                     System (IDMS), which restricts         user\xe2\x80\x99s justification for access, security\n                                     access to program libraries and        clearance level, and approval by\n                                     databases.                             management.\n                                                                                                                          No relevant exceptions\n      Passwords, tokens, or other    9.2.1 DFAS Saufley Field               DFAS Saufley Field\n9.2                                                                                                                       noted.\n      devices are used to identify\n                                     User IDs and passwords are             Observed that each user account was\n      and authenticate users.\n                                     configured according to DoD            assigned a security profile that restricted\n                                     standards.                             access by module and program.\n                                                                            Inspected the DCPS application to\n                                                                            confirm that users needed a valid user ID\n                                                                            and password to gain access to the\n                                                                            system.\n                                                                     100\n\x0cNo.   Control Objectives            Control Activities                          Tests Performed                    Results of Testing\n\n\n\n                                                                    Inspected system parameters to verify that\n                                                                    the system requires a user ID and\n                                                                    password.\n\n\n\n                                                                                                                 No relevant exceptions\n                           9.2.2 DISA DECC-MECH                     DISA DECC-MECH\n                                                                                                                 noted.\n                           Multiple layers of access controls are   Confirmed through inquiry and\n                           used including, a Common Access          observation that passwords are used to\n                           Card and personal identification         authenticate users.\n                           number; a DCPS user ID and\n                                                                    Inspected system parameters to verify that\n                           password; and a RSA SecurID for\n                                                                    the system requires a user ID and\n                           database administration,\n                                                                    password.\n                           configuration management, security,\n                           and tech support.                        Inspected the SSAA to confirm that\n                                                                    authentication devices are in compliance\n                                                                    with DoD standards.\n\n\n\n\n                                                           101\n\x0cNo.        Control Objectives                  Control Activities                          Tests Performed                   Results of Testing\n\n\n\n10     Network and Telecommunications\n\n       Telecommunication defense      10.1.1 DISA DECC Montgomery              DISA DECC Montgomery                        We noted payroll data\n10.1\n       capabilities are                                                                                                    transmitted through the\n                                      DISA DECC-MECH is in the                 Inquired with security personnel if DCPS\n       implemented.                                                                                                        NIPRNET are\n                                      process of encrypting all data streams   data are transmitted through a commercial\n                                                                                                                           unencrypted.\n       Unclassified, sensitive data   to the Federal Information Processing    or wireless network. Inquired with\n       transmitted through a          Standards 140-2, \xe2\x80\x9cSecurity               security personnel to determine whether\n       commercial or wireless         Requirements for Cryptographic           NIST cryptography was used to protect\n       network are encrypted using    Modules.\xe2\x80\x9d                                information transmitted over commercial\n       NIST-certified                                                          or wireless networks.\n       cryptography.\n\n       Network defense                10.2.1 DISA DECC Montgomery              DISA DECC Montgomery                        The IA-enabled\n10.2   capabilities are                                                                                                    products, including\n       implemented. At a              Appropriate IA products are              Inspected the DISA SAS 70 Report to         routers and firewalls,\n       minimum, medium-               implemented to protect sensitive         identify any issues as a result of the      are not configured to\n       robustness Commercial Off-     information when the information         testing.                                    \xe2\x80\x9cdeny by default,\xe2\x80\x9d and\n       the-Shelf (COTS) IA and        transits public networks or the                                                      DISA DECC-MECH\n       IA-enabled products are        system handling the information is                                                   firewalls are not STIG\n                                                                               Inquired with system administrators to\n       used to protect sensitive      accessible by individuals who are not                                                compliant.\n                                                                               determine whether telnet access to the\n       information when the           authorized to access the information\n                                                                               DCPS mainframe domain is secured\n       information transits public    on the system.\n                                                                               using SWA.\n       networks or the system\n       handling the information is\n                                      Telnet access to the DCPS\n       accessible by individuals\n                                      mainframe domain is secured using\n       who are not authorized to\n                                      Secure Web Access (SWA). All\n       access the information on\n                                      DCPS users must use SWA when\n       the system.\n                                      accessing DCPS.\n       Remote and dial-up             10.3.1 DISA DECC Montgomery              DISA DECC Montgomery\n                                                                                                                           Noted users did not use\n10.3   capabilities are controlled.\n                                                                                                                           DoD-issued computers\n                                      Remote access to the Internet is         Inspected the DISA SAS 70 Report to\n                                                                                                                           for remote telnet access\n                                      regulated by positive technical          identify any issues as a result of the\n                                      controls, such as proxy services and     testing.\n                                                                      102\n\x0cNo.   Control Objectives            Control Activities             Tests Performed     Results of Testing\n\n\n                           screened subnets, also called\n                           demilitarized zones (DMZ), or\n                                                                                     through the MIAP\n                           through systems that are isolated\n                                                                                     application to the MZF\n                           from all other DoD information\n                                                                                     LPAR.\n                           systems through physical means.\n\n                           There is a remote dial-in router\n                           provided for systems administrators\n                           that requires Secure Shell\n                           restrictions. The Exchange System\n                           Manager is installed on some of\n                           these systems.\n\n                           System administrators must use the\n                           DISA CSD out-of-band network to\n                           access all servers for which they are\n                           responsible for the administration\n                           and maintenance.\n\n                           There is a \xe2\x80\x9cdeny-by-default\xe2\x80\x9d policy\n                           implemented at DISA DECC-\n                           MECH that prohibits data traffic\n                           over ports and protocols unless\n                           specifically allowed in the ACL\n                           rules.\n\n\n\n\n                                                           103\n\x0cNo.        Control Objectives                 Control Activities                          Tests Performed                  Results of Testing\n\n\n\n       Conformance testing that       10.4.1 DISA DECC-MECH                  DISA DECC-MECH                              No relevant exceptions\n10.4\n       includes periodic,                                                                                                noted.\n                                      DISA DECC-MECH performs                Confirmed through inquiry that\n       unannounced, in-depth\n                                      monthly scans to check for any         conformance testing was performed that\n       monitoring and provides for\n                                      DCPS network vulnerabilities. The      included periodic, unannounced, in-depth\n       specific penetration testing\n                                      DCPS system and hardware are           monitoring and provided for specific\n       to ensure compliance with\n                                      reviewed through periodic SRR          penetration testing to confirm compliance\n       all vulnerability mitigation\n                                      reviews that are conducted by FSO      with vulnerability mitigation procedures.\n       procedures is planned,\n                                      on the DCPS mainframe domain.\n       scheduled, and conducted.\n\n\n                                                                             Obtained and inspected documentation\n                                                                             produced from this conformance testing\n                                                                             to confirm that vulnerability scans were\n                                                                             completed.\n                                                 [This control objective was intentionally left blank.]\n11\n\n\n\n\n                                                                    104\n\x0cNo.        Control Objectives                  Control Activities                            Tests Performed                      Results of Testing\n\n\n\n12     Access Monitoring\n\n       Audit trails are maintained.   12.1.1 DISA DECC-MECH and                 DISA DECC-MECH                                  DISA DECC-MECH\n12.1\n                                      DFAS Saufley Field\n                                                                                Confirmed through inquiry that audit            No relevant exceptions\n                                      A security audit trail is implemented     trails are implemented for the MZF              noted.\n                                      for each system that documents the        LPAR.\n                                      identity of each person/device having\n                                                                                Inspected the audit trails available and\n                                      access to a system, the time of that                                                      DFAS Saufley Field:\n                                                                                determined what information is being\n                                      access, user activity, and any actions\n                                                                                logged.                                         DFAS was unable to\n                                      that, attempt to change security levels\n                                      or privileges established for the user.                                                   provide 3 of 54 audit\n                                                                                Confirmed through inquiry and inspection\n                                      The audit trail is maintained by                                                          logs.\n                                                                                that audit trails are maintained for at least\n                                      DISA.                                     5 years.                                        Of 54 audit logs, 10\n                                                                                                                                lacked evidence of\n                                                                                Confirmed through inquiry and inspection\n                                                                                                                                management review.\n                                                                                that the log is reviewed and signed by\n                                                                                management.\n\n\n                                                                                DFAS Saufley Field\n                                                                                Confirmed through inquiry that audit\n                                                                                trails are implemented for the application.\n                                                                                Inspected the audit trails available and\n                                                                                determined what information is being\n                                                                                logged.\n                                                                                Confirmed through inquiry and inspection\n                                                                                that audit trails are maintained for at least\n                                                                                5 years.\n                                                                                Confirmed through inquiry and inspection\n                                                                                that the log is reviewed and signed by\n                                                                                management.\n\n\n                                                                       105\n\x0cNo.        Control Objectives                    Control Activities                        Tests Performed                    Results of Testing\n\n\n\n                                       12.1.3 DFAS Saufley Field               DFAS Saufley Field                           No relevant exceptions\n                                                                                                                            noted.\n                                       Adheres to DITSCAP requirements         Inspected the policy for protecting the\n                                       for system access and content,          audit trails and confirmed that the policy\n                                       retention, and protection of audit      limits access to audit trails.\n                                       trails. The most recent testing of\n                                                                               Confirmed through inquiry and inspection\n                                       compliance with DITSCAP guidance\n                                                                               that audit logs included activities that\n                                       is contained in the DCPS SSAA,\n                                                                               might modify, bypass, or negate\n                                       Appendices H and P.\n                                                                               safeguards controlled by the system so\n                                                                               that the audit trails should be protected\n                                                                               against unauthorized access,\n                                                                               modification, or deletion.\n                                                                               Observed that only select/limited number\n                                                                               of individuals, such as the ISSO and\n                                                                               Information Assurance Manager, have\n                                                                               access to the audit trails.\n\n\n       Suspicious network access       12.4.2 DFAS Saufley Field               DFAS Saufley Field                           No relevant exceptions\n12.4\n       activity is investigated and                                                                                         noted.\n                                       Desktop Management Interface\n       appropriate action is taken.                                            Confirmed through inquiry with key\n                                       controls the configuration of\n                                                                               personnel that the use of instant\n                                       computers, and instant messaging\n                                                                               messaging is against DoD policy.\n                                       programs are not authorized. Saufley\n       Instant messaging traffic to                                            Inquired to determine how instant\n                                       Field monitors application usage\n       and from instant messaging                                              messaging is controlled. Inspected\n                                       through an automated software\n       clients that are                                                        firewall rules to confirm that instant\n                                       auditing application that runs\n       independently configured by                                             messaging is blocked.\n                                       regularly when users logon to their\n       end users and that interact\n                                       workstation.\n       with a public service\n       provider is prohibited within   Instant messaging programs are\n       DoD information systems.        identified as part of that auditing\n                                       process.\n\n\n\n\n                                                                         106\n\x0cNo.        Control Objectives                Control Activities                         Tests Performed                   Results of Testing\n\n\n\n13     DCPS Change Management\n\n       DISA or DFAS-initiated       13.1.1 DISA DECC-MECH                   DISA DECC-MECH                              We could not confirm\n13.1\n       application, software, or                                                                                        that changes were\n                                    Procedures addressing the testing of    Obtained and inspected the change\n       hardware modifications are                                                                                       tested prior to\n                                    patches, upgrades, and new              management policies and procedures for\n       authorized, and the                                                                                              implementation due to\n                                    Automated Information System            systems software to confirm that they\n       documentation is                                                                                                 the lack of traceability\n                                    applications are documented.            exist and are current.\n       maintained.                                                                                                      between the MZO\n                                    All changes to information systems      Requested the full population of            change request tickets\n                                    at DISA DECC-MECH are brought           code/database modifications from the        and the MZF change\n                                    before at least one of two Change       DCPS production code library which          tickets.\n                                    Control Boards (CCBs). DISA             occurred during the audit period under\n                                    headquarters has an Executive           review (10/01/07 through 3/31/08) and\n                                    Software CCB (ESCCB) that is            traced a sample of modifications to an\n                                    responsible for reviewing all major     approved System Change Request (SCR).\n                                    system changes, including new\n                                                                            For the modifications selected, obtained\n                                    versions, new software, and the\n                                                                            the change request document and\n                                    removal of software. There is also a\n                                                                            confirmed that it was approved by key\n                                    local CCB at DISA DECC-MECH\n                                                                            personnel prior to implementation.\n                                    that meets on a weekly basis. The\n                                    local CCB is responsible for            Confirmed that each modification was\n                                    reviewing all operating system          tested and the test results were approved\n                                    upgrades and fixes. The local CCB       prior to the modification being\n                                    is also responsible for alerting the    implemented.\n                                    customer to the change, obtaining the\n                                    customer approval before                Confirmed the modification is\n                                                                            documented by inspecting the SCR;\n                                    proceeding, and maintaining the\n                                    change control records.                 System Test Plan; detailed system\n                                                                            specifications; and unit, system, and\n                                                                            acceptance testing results.\n                                    13.1.2 DISA DECC-MECH\n                                    The DISA Executive Software CCB\n                                    consists of representative of DISA\n                                    management, as well as all the DISA\n                                                                    107\n\x0cNo.   Control Objectives            Control Activities                            Tests Performed                      Results of Testing\n\n\n                           DECCs. The DISA DECC-MECH\n                           local CCB consists of all department\n                           heads and the Information Assurance\n                           Manager.\n\n\n                           13.1.3 DFAS Saufley Field                 DFAS Saufley Field\n                                                                                                                     No relevant exceptions\n                           Testing of changes follows the            Using the same random sample selected           noted.\n                           approved process outlined in the          for control objective 13.1, we confirmed\n                           DFAS TSO Business Process                 that the DCPS application changes\n                           Handbook prior to implementation.         followed the appropriate test and\n                                                                     migration process by inspecting the\n                           A Testing Deficiency Report is\n                                                                     following for completeness,\n                           issued for SCRs with negative test\n                                                                     authorization, and software quality\n                           results, and the Transportation\n                                                                     requirements:\n                           Discrepancy Report is routed to the\n                           appropriate individuals. If necessary,        \xe2\x80\xa2    system test plan;\n                           an amendment is issued and it\n                           processes through the same approval           \xe2\x80\xa2    detailed system specifications;\n                           process as an SCR.                                 and\n                                                                         \xe2\x80\xa2    unit, system, and acceptance\n                                                                              testing results.\n                                                                     Inquired with DCPS security personnel as\n                                                                     to his/her roles and responsibilities for the\n                                                                     release of security-related changes\n                                                                     included in DCPS releases.\n                                                                     Inspected release notes for the major\n                                                                     DCPS production releases that occurred\n                                                                     during the audit period.\n\n\n                           13.1.4 DFAS Saufley Field                 DFAS Saufley Field                              No relevant exceptions\n                                                                                                                     noted.\n                           Release management staff is               Using the same random sample selected\n                           responsible for ensuring that all         for control objective 13.1, confirmed that\n                                                               108\n\x0cNo.        Control Objectives                 Control Activities                          Tests Performed                    Results of Testing\n\n\n                                     programs are labeled and inventoried     the changes had been labeled, assigned an\n                                     within the appropriate library.          ID, and inventoried.\n\n\n       New and modified              13.2.1 DFAS Saufley Field                DFAS Saufley Field                           No documentation\n13.2\n       application, hardware, and                                                                                          exists that states which\n                                     Release management staff is              Using the same random sample selected\n       operating system or utility                                                                                         configurable items are\n                                     responsible for distribution or          for control objective 13.1, confirmed that\n       software is tested and                                                                                              required to be tested\n                                     implementation of new or revised         the change followed the appropriate\n       controlled according to                                                                                             before implementation.\n                                     software.                                distribution process by inspecting the\n       specific criteria.                                                                                                  However, we noted that\n                                                                              Release Authorization Report for\n                                                                                                                           the Business Process\n                                                                              completeness and authorization.\n                                                                                                                           Handbook is under\n                                                                                                                           revision to include the\n                                                                                                                           testable types of\n                                                                                                                           configurable items.\n\n       Emergency changes are         13.3.1 DFAS Saufley Field                DFAS Saufley Field                           No relevant exceptions\n13.3\n       promptly approved.                                                                                                  noted.\n                                     A Configuration Management Plan is       Using the same random sample selected\n                                     implemented for software                 for control objective 13.1, we confirmed\n                                     modifications. All modifications         through inspection that the DCPS\n                                     must go through the SCR process and      emergency changes have been authorized\n                                     receive proper approval prior to         by the program manager and/or software\n                                     implementation, including                director and traced each SCR identified in\n                                     emergency changes made during            the Release Authorization Report to\n                                     business hours. Emergency changes        confirm it has been approved by the\n                                     that arise during non-business hours     software director.\n                                     may be implemented prior to SCR\n                                     approval; however, the SCRs are\n                                     approved through the change process\n                                     the next day.\n\n\n       Movement of programs and      13.4.1 DFAS Saufley Field                DFAS Saufley Field\n13.4                                                                                                                       We were unable to\n       data among libraries is\n                                     The system administrator manages         Observed the DCPS librarian to               confirm that two of the\n       controlled.\n                                     access rights to the program libraries   determine how the development and            five DCPS users\n                                                                      109\n\x0cNo.       Control Objectives               Control Activities                        Tests Performed                    Results of Testing\n\n\n                                  and databases through ACF2. The        production libraries are controlled.         obtained authorization\n                                  database administrator grants access                                                to access both the MZO\n                                                                         Inspected the access control lists for the\n                                  to the appropriate                                                                  development LPAR and\n                                                                         production and development libraries\n                                  development/production                                                              MZF production LPAR.\n                                                                         (directories) to confirm that only\n                                  environments through IDMS. IDMS\n                                                                         authorized personnel have access.\n                                  controls versioning in both the\n                                  development and production\n                                  environments.\n\n\n       Use of public domain and   13.5.1 DFAS Saufley Field              DFAS Saufley Field                           No relevant exceptions\n13.5\n       personal software is                                                                                           noted.\n                                  DFAS workstations and LANs do not      Inspected the DCPS SSAA to confirm\n       restricted.\n                                  allow any use of public domain         that personal software is restricted.\n                                  and/or personal software. DCPS is\n                                                                         Inspected a listing of approved software\n                                  on the mainframe and all utilities\n                                                                         to confirm such a list exists.\n                                  needed are on the mainframe (which\n                                  is DISA-driven).\n\n\n\n\n                                                                 110\n\x0cNo.        Control Objectives                    Control Activities                           Tests Performed                    Results of Testing\n\n\n\n       Changes to the DoD              13.6.1 DISA DECC-MECH                      DISA DECC-MECH                               DISA DECC-MECH:\n13.6\n       information system are\n                                       All changes are captured in the            Obtained the CCB meeting minutes for         We could not confirm\n       assessed for IA and\n                                       Change Management System                   that random sample of changes previously     that changes were\n       accreditation impact prior to\n                                       (Change Management 2000).                  noted. Confirmed the CCB meeting             tested prior to\n       implementation.\n                                       Information included in each change        minutes included the discussion of the       implementation due to\n                                       record is the requested time and date      DCPS changes and confirmed whether           the lack of traceability\n                                       of implementation, the action to           management assessed the change for IA        between the MZO\n                                       occur, and justification for the action.   and accreditation impact.                    change request tickets\n                                       The change is then presented to the                                                     and the MZF change\n                                                                                  Determined whether the changes were\n                                       local CCB where the change is                                                           tickets.\n                                                                                  approved by the CCB and testing has\n                                       assessed for IA and accreditation\n                                                                                  been completed and approved prior to\n                                       impact. The change is only\n                                                                                  implementation into the production\n                                       implemented after approval from the                                                     DFAS Saufley Field:\n                                                                                  environment.\n                                       CCB and testing is completed and\n                                                                                                                               No relevant exceptions\n                                       reviewed.\n                                                                                                                               noted.\n\n                                       13.6.2 DFAS Saufley Field                  DFAS Saufley Field\n                                       All changes are captured in the            Using the same random sample selected\n                                       Change Management Information              for control objective 13.1, confirmed that\n                                       System. Information included in            the change record includes the requested\n                                       each change record is the                  time and date of implementation, the\n                                       implementation, the action to occur,       action to occur, and justification for the\n                                       and justification for the action. In       action.\n                                       addition, all changes are assessed by\n                                       the IA officers.\n\n\n\n\n                                                                         111\n\x0cNo.       Control Objectives               Control Activities                        Tests Performed                     Results of Testing\n\n\n\n14     Data Retention\n\n       Data and program back-up   14.1.1 DFAS Saufley Field              DFAS Saufley Field                            DFAS Saufley Field:\n14.1\n       procedures have been\n                                  Data and program back-up               Obtained the Business Continuity Plan to      No relevant exceptions\n       implemented.\n                                  procedures have been established by    confirm that it specifies the data and        noted.\n                                  DFAS management                        program back-up procedures that have\n                                                                         been implemented related to DCPS.\n                                                                                                                       DISA DECC-MECH:\n                                                                         Inquired with key personnel that\n                                  DISA DECC-MECH\n                                                                         resources are dedicated to the periodic       The Tape Library\n                                  Data and program back-up               backing-up and restoration of data stored     Procedures did not\n                                  procedures have been established by    on network share drives.                      include an update to\n                                  DFAS management and are included                                                     reflect the new process\n                                                                         DISA DECC-MECH\n                                  in the DISA DECC-MECH Business                                                       and storage facility\n                                  Continuity Plan as prescribed in the   Obtained the Business Continuity Plan to      used for back-up tapes.\n                                  SLA between DISA and DFAS.             confirm that it specifies the data and\n                                                                         program back-up procedures that have\n                                                                         been implemented related to DCPS.\n                                                                         Inquired with key personnel that\n                                                                         resources are dedicated to the periodic\n                                                                         backing-up and restoration of data stored\n                                                                         on network share drives.\n                                                                         Confirmed how often backups are\n                                                                         performed, shipped to an offsite facility,\n                                                                         and that the backups are maintained at the\n                                                                         offsite facility in a fire rated container.\n                                                                         Selected a random sample of dates, which\n                                                                         occurred during the audit period, and\n                                                                         obtained the back-up logs. Confirmed\n                                                                         through inspection that the log is\n                                                                         completed, based on the back-up policies\n                                                                         and procedures.\n\n                                                                 112\n\x0c   Section IV: Supplemental Information Provided\nby the Defense Finance and Accounting Service and the\n         Defense Information Systems Agency\n\n\n\n\n                        113\n\x0c\x0cIV. Supplemental Information Provided by the Defense\nFinance and Accounting Service and the Defense Information\nSystems Agency\n\nIntroduction\n\nDFAS and DISA have prepared this section and it is included to provide user\norganizations with information DFAS and DISA believes will be of interest to such\norganizations. However, this information is not covered within the scope or control\nobjectives established for the SAS 70 review. Specifically, this section includes a\nsummary of procedures that DFAS and DISA have implemented to enable them to\nrecover from a disaster affecting a Payroll Office, the TSOPE, or DISA DECC-MECH.\n\nThis information has not been subjected to the procedures applied to the audit of the\ndescription of controls presented in Sections II and III of this report. As a result, the DoD\nOIG expresses no opinion regarding the completeness and accuracy of this information.\n\nTSOPE Specific Business Continuity Plans\n\nThe DCPS production support Continuity of Operations Plan (COOP) provides an action\nplan to be implemented when a disaster or impending threat would render DCPS\nproduction support inoperable (for example, hurricane, damage to TSOPE facilities due\nto fire). This plan is evaluated and updated on an annual basis and is implemented\nlocally at each of the established DCPS Payroll Offices. If an impending threat or event\noccurs, production support control for DCPS is transferred to an alternate-processing site.\nCurrently, that site is DFAS Indianapolis, Indiana. The COOP includes the names of\nDCPS staff members who will serve as a pool of resources to be mobilized to execute the\nplan and a list of documentation and supplies that are necessary to support the mobilized\nteam.\n\nTeam members are comprised of DCPS development staff members across many\ndivisions and branches. TSOPE designates two members of the management team to be\nresponsible for COOP execution. One is mobilized with the team and is responsible for\nteam activities and communication with TSOPE while deployed to the COOP recovery\nsite. The other serves as the team\xe2\x80\x99s liaison at TSOPE and is responsible for relaying\ncurrent operational status, current area weather conditions, and other pertinent\ninformation to the mobilized team. The team is further divided into two teams, with each\ncovering a 12-hour shift. Team leaders are appointed for the respective shift teams. The\nDCPS project management staff coordinate and are involved in each step included in\nplanning and executing the COOP. Although this plan works for any type of disaster\nwhere production support becomes inoperable, it has been executed several times in the\npast few years during impending disastrous weather conditions, such as hurricanes.\n\n\n\n                                            115\n\x0cDECC-MECH Business Continuity Plans\n\nTo accommodate a major disaster at any major DISA processing center, DISA has\nestablished an Enterprise Business Continuity Program. The DISA plan uses multiple\ninternal locations and, for mainframe processing, utilizes the Assured Computing\nEnvironment infrastructure elements located at DISA DECC-MECH and Ogden. DISA\nDECC-MECH and Ogden is equipped with computational direct access storage devices\nand telecommunication resources necessary to provide a fully functional host site with\nthe capacity to support a major disaster at any DISA center with mainframe processing.\n\nThe COOP support agreement between DFAS, as the customer, and DISA, as the provider of\nprocessing systems and communications services, describes a process for restoring host-site\nprocessing in the event of a major disaster. The plan also addresses the timely resolution of\nproblems during other disruptions that adversely affect DCPS processing. The plan, as it relates\nto DCPS, details data restoration procedures for the MZF z/OS operating system, the DCPS\nIntegrated Database Management System, and related mid-tier servers and communication\ndevices. Replicated data and back-up tapes containing incremental daily and complete weekly\nbackups are rotated offsite to designated locations, on a predetermined schedule, for storage.\n\nThe Crisis Management Team at DISA DECC-MECH is responsible for declaring that a disaster\nhas occurred and activating the Business Continuity Plan. Once a disaster has been declared, the\nCrisis Management Team activates the following response teams: Communications Team,\nRecovery Coordination Team, Site Recovery Team, and the Crisis Support Team. Each team\nhas a specific set of responsibilities defined in the Business Continuity Plan. The contact\ninformation for each individual on each team is also included in the Business Continuity Plan.\nThe plan is required to be tested on an annual basis. The Business Continuity Plan was tested in\nNovember 2005. TSOPE personnel participate in the yearly COOP exercise to ensure that the\nprocess works correctly and documentation is updated appropriately.\n\nDFAS Indianapolis 592 Reconciliation Report Policies and Procedures\n\nPolicies and procedures for performing the 592 Payroll for Personal Services Payroll\nCertification and Summary Report reconciliation has been developed and documented at the\nDFAS Indianapolis Payroll Office. Uniform procedures are in place for both DFAS Civilian\nPayroll Offices for reconciliation of the 592.\n\nDCPS Password Configuration\n\nThe access control software for the environment on which DCPS resides, ACF2 supports\ncomplex passwords and complex passwords are utilized.\n\n\n\n\n                                           116\n\x0c    Acronyms and Abbreviations\n\n\nACF2      Access Control Facility 2\nATO       Authority to Operate\nBBG       Broadcast Board of Governors\nBRAC      Base Realignment and Closure\nCCB       Change Control Board\nCOOP      Continuity of Operations Plan\nCSR       Customer Service Representative\nDAA       Designated Approval Authority\nDCPS      Defense Civilian Pay System\nDECC      Defense Enterprise Computing Center\nDFAS      Defense Finance and Accounting Service\nDISA      Defense Information Systems Agency\nDITSCAP   Department of Defense Information Technology Security\n            Certification and Accreditation Process\nDoE       Department of Energy\nEOP       Executive Office of the President\nEPA       Environmental Protection Agency\nFSO       Field Security Operations\nHHS       Health and Human Services\nIA        Information Assurance\nIDMS      Integrated Database Management System\nIS        Information Security\nISSO      Information System Security Officer\nLAN       Local Area Network\nLPAR      Logical Partition\nMAC       Mission Assurance Category\nMECH      Mechanicsburg\nMIAP      Multi-Host Internet Access Portal\nNIPRNET   Non-Classified Internet Protocol Router Network\nNSA       National Security Agency\nOIG       Office of the Inspector General\nOLQ       Online Queries\nPIIR      Personnel Interface Invalid Report\nSAAR      Systems Access Authorization Request\nSAS 70    Standards of Auditing Standards 70\nSCR       System Change Request\nSLA       Service-Level Agreement\nSMC       System Management Center\n\n\n                                     117\n\x0cSOP     Standard Operating Procedure\nSRR     System Readiness Review\nSSAA    System Security Authorization Agreement\nSSN     Social Security Number\nSTIG    Security Technical Implementation Guide\nSWA     Secure Web Access\nTASO    Terminal Area Security Officer\nTSO     Technology Services Organization\nTSOPE   Technology Services Engineering Organization in Pensacola\nTSP     Thrift Savings Plan\nVA      Veterans Affairs\nVMS     Vulnerability Management System\nVPN     Virtual Private Network\n\n\n\n\n                                    118\n\x0cTeam Members\nThe Defense Financial Auditing Service, DoD OIG, in conjunction with contract auditors\nproduced this report. Personnel from the Technical Assessment Directorate and Quantitative\nMethods Directorate, DoD OIG, also contributed to the report.\n\nPatricia A. Marsh\nPatricia Remington\nKenneth H. Stavenjord\nDonna A. Roberts\nMihn Tran\nAhn Tran\nAnn Thompson\nCarl L. Adams\nAnissa M. Nash\nKiana E. Silver\nShawn Sparks\nBrian Royer\nAlberto Calimano-Colon\n\x0c\x0c'